Changes to Cyber Essentials Requirements (April 2021 Update)
The Cyber Essentials scheme has been around for many years, in fact it was launched way back on the 5th June 2014. As time progresses and the security of businesses is taken more seriously and more supply chains require the certification, we have seen more and more companies becoming certified. However, the Cyber Essentials scheme is not a static certification, it evolves over the years to stay current and requires annual certification.
The time has now come to update the scheme again, from the 26th April 2021 the requirements for achieving Cyber Essentials will change slightly. Please not however, for anyone undergoing the Cyber Essentials self-assessment before the 26th April, can continue with the old question set.
When you look at the new questions you will notice several changes, which will hopefully make it easier to complete and understand what is being asked of you. As part of the changes there are now new definitions which are being used which are described below. These definitions will help define whether any devices, such as BYOD are to be included in the scope of your assessment.
- Corporate VPN – A Corporate VPN is a VPN solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.
- Organisational Data – Organisational data includes any electronic data belonging to the applicant organisation. For example, emails, office documents, database data, financial data.
- Organisational Services – Organisational services include any software applications, Cloud applications, Cloud services, User Interactive desktops and Mobile Device management solutions owned or subscribed to by the applicant organisation. For example, Web applications, Microsoft 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.
Bring Your Own Device (BYOD)
The next change will be an update to the BYOD requirement, this update will, along with the above definitions help to explain what will be out of scope.
The new requirement for BYOD devices and to define whether they will be in or out of scope is defined as the following: “Mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).”
As part of Cyber Essentials, you need to ensure that you have a firewall implemented which separates you from the Internet. Depending upon how you work, this used to generate some confusion. The new change to this question is as follows: “Where an organisation does not control the network that a device is connected to, a host-based firewall must be configured on a device.”
What this change is saying is, is that if a business doesn’t control the border firewall, for example you work in a managed office or at home or coffee shop, then you must have a firewall on your device instead. Whereas before this change, this was unclear and was expected that you managed and control the firewall at the border.
Security update management
The next change is a name change, what used to be called “Patch Management” is now called “Security Update Management”. As part of this change it is also expected that the user will have automatic updates on all software packages and devices where possible.
The change in this category is now concentrating more on the installation of security update packages rather than the individual patches which can be applied. This helps to ensure that the systems are kept fully up to date.
It is now recommended that all updates which have been released are updated within 14 days of the update release window. For security updates (which are critical/high risk or are not defined as such) which are not installed within 14 days of release will incur a Major Non-Compliance for the relevant question.
User Access Control
This section has been expanded to include third-party accounts that have access to the companies data and services. For example, if you have a managed IT company which looks after your company, this will now be in scope of the assessment.
What this section means is that the applicant must ensure that there is appropriate control and policies in place to ensure that the third-party has dedicated unique accounts for each customer. This ensures that if there is a breach at the third-party and credentials are compromised, they cant use the same credential for all customers, thereby limiting the impact hopefully.
The applicant should also ensure that sufficient controls are in place to ensure that if the third-party leaves themselves logged into the company services, that they are timed out eventually or are requested to log in again.
Where possible two-factor authentication should also be enabled on all business systems to ensure that the security of systems are further protected.
If you would like to get the questions for Cyber Essentials you can download the latest question set from the IASME website at: https://iasme.co.uk/cyber-essentials/free-download-of-cyber-essentials-self-assessment-questions/