Cyber Essentials – Changes in April 2023
In April 2023, the UK government’s Cyber Essentials program will update its technical requirements to help small businesses protect against common cyber threats. The update is part of a regular review of the scheme’s technical controls and follows a major update last year. The 2023 update will be a lighter touch, providing a number of clarifications, alongside some important new guidance.
The list of changes includes:
- User devices: With the exception of network devices, all user devices declared within the scope of the certification only require the make and operating system to be listed. The requirement for listing the model of the device has been removed. This change will be reflected in the self-assessment question set, rather than the requirements document.
- Clarification on firmware: Router and firewall firmware are the only firmware that must be kept up to date and supported. This information has been clarified following feedback that it can be difficult to find.
- Third-party devices: More information and a new table clarify how third-party devices, such as a contractor or student devices, should be treated in your application.
- Device unlocking: A change has been made here to mitigate some issues around default settings in devices being unconfigurable. Where that is the case, it is now acceptable for applicants to use those default settings.
- Malware protection: Anti-malware software will no longer need to be signature-based, and sandboxing is removed as an option. The requirements have also been clarified to indicate which mechanism is suitable for different types of devices.
- New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.
- Style and language: Several language and format changes have been made to make the document easier to read.
- Structure updated: The technical controls have been reordered to align with the updated self-assessment question set.
- CE+ testing: The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.
These changes are based on feedback from assessors and applicants and have been made in consultation with technical experts from the National Cyber Security Centre (NCSC). Small businesses should note that the new requirements will take effect from 24 April 2023, and all applications started on or after this date will use the new requirements and question set. The Cyber Essentials delivery partner, IASME, will provide additional guidance and resources to help small businesses during the certification process.
How do small business tackle and maintain Cyber Essentials
To help our customers achieve and maintain Cyber Essentials or Cyber Essentials Plus we have combined a collection of solutions to help achieve and maintain Cyber Essentials.
Our aim is to reduce disruption and costs to our customers helping them make required changes and put in tools to enforce any procedures put in place.
To find out more book a meeting with our Director, let’s find out about your business and discuss how we can help get your business certified