The NCSC wants to strengthen the Cyber Essentials standards and announced three major changes to the standard last year:
- Any thin clients included in the scope of certification must be support and receiving security updates
- All unsupported software is either removed or segregated from the scope via a sub-set
- All user accounts on cloud services are protected by multi-factor authentication(MFA)
The above had a grace period until December 31st 2022, however this has now been extended to April 2023. Other changes are also due to arrive in April, namely:
Clarification on firmware – Only the router and Firewall will now be included in the firmware requirement
Third party devices – Further information and a new table clarifying how third-party devices such as contractor or student devices should be treated in applications.
Device unlocking – A change in this section to mitigate issues around some default settings in devices being unconfigurable. Where that is the case, it is acceptable for applicants to use those default settings. (no iphone users, this does not include you!)
Malware protection – Anti-malware software will no longer need to be signature based and clarification has been added around which mechanism is suitable for different types of devices. Sandboxing is being removed as an option. This has been a long standing issue and the work around is currently a bit of a fudge.
Guidance on zero trust architecture in the context of achieving Cyber Essentials and a note on the importance of asset management.
Feel free to read our page on Cyber Essentials to find out more information and how it can benefit your business.
Additionally, if you would like any assistance with completing Cyber Essentials for your business then please feel free to get in touch and we would be happy to help.