Everything you need to know about the changes in 2023 Cyber Essentials
Key dates
When do the changes come into force? 24th April 2023
When were the changes released? 23rd January 2023
What are the changes?
On 23rd January 2023, the NCSC published an updated set of requirements, version
3.1 for the Cyber Essentials scheme.
These changes called the ‘Montpellier question set’, come into force on 24th April 2023
and will replace last year’s Evendine question set.
- The definition of ‘software’ has been updated to clarify where firmware is in
scope. - Asset management is now included as a highly recommended core security function.
- A link to the NCSC’s BYOD guidance is now included to help businesses better manage their devices.
- Clarification on including third-party devices – all devices that your organisation owns that are loaned to a third party must now be included.
- The ‘Device unlocking’ section has been updated to reflect that some vendors have restrictions on device configuration. If that’s the case, the recommendation is to use the vendor’s default settings.
- The ‘Malware Protection’ section has been updated. You must make sure that malware protection is active on all devices in scope. All anti-malware software has to:
- Be updated in line with vendor recommendations
- Prevent malware from running
- Prevent the execution of malicious code
- Prevent connections to malicious websites over the internet and, only approved applications, restricted by code signing, are allowed to execute on devices. You must:
- Actively approve such applications before deploying them to devices
- Maintain a current list of approved applications, users must not be able to
install any application that is unsigned or has an invalid signature
- New information has been added about how Cyber Essentials affects
businesses using zero trust architecture. In short, this should be affected by
the Cyber Essentials controls. - The illustrative specification document for Cyber Essentials Plus has been
updated. The changes to the malware section affect how an auditor carries out
a Cyber Essentials Plus assessment and this will be discussed with the customers
when they book. - Several style and language changes have been made and questions reworded
to make the process simpler and easier to understand. - The technical controls have been reordered to align with the self-assessment
question set.
What does this mean?
It’s relatively simple. Any Cyber Essentials assessment that begins before 24th April 2023, will continue to
use the current requirements. Meanwhile, any assessment that begins after 24th April will be assessed using the new Montpelier requirements.
The changes aren’t complicated and shouldn’t impact your ability to achieve certification
or the time it takes to complete it. However, if you do have any questions, please reach
out to your account manager and they’ll be happy to talk you through it