Cyber Essentials certification - a guide to the 2022 changes

Cyber Essentials and Cyber Essentials Plus have changed. New requirements on infrastructure and amendments to technical controls announced by the National Cyber Security Centre (NCSC) came into force on January 24, 2022.

Cyber Essentials 2022 Update

The most significant change to the standard question set since the launch of Cyber Essentials in 2004, the new question set, called Evendine, contains significant changes to the scope requirements and controls that need to be applied to the devices within that scope.

The changes are intended to modernise the scheme taking into account key technology trends and infrastructure changes that have become commonplace, this means that things like home working and Bring Your Own Device (BYOD) are now included in the scheme.

The changes relate to:

Cloud-based services such as Software as a Service (SaaS)
Passwords and two-factor authentication
Device declaration and BYOD
Thin clients
Homeworkers
Routers and Firewalls

Changes to Cloud Services

The Evendine update introduces significant changes to what will have to be included in the scope, with the most noticeable changes being the inclusion of all cloud services. With the inception of Evendine, all cloud services will be required to be in the scope of Cyber Essentials.

Infrastructure as a Service (IaaS) – already in scope with Cyber Essentials and covers on-demand IT services such as storage and computing.
Software as a Service (SaaS) – previously regarded as out of scope and includes on-demand software services such as cloud-hosted business apps.
Platform as a Service (PaaS) – this was a grey area and generally needed careful consideration as to whether this service should be in scope or not, and covers development and deployment platforms in the cloud such as database management.

It is now not possible to certify either just the cloud elements of the business or servers only. The NCSC and IASME have clarified that end-user devices must be in scope as well.

The 2022 update means that:

It is not acceptable to descope all end-user devices.
It is not possible to descope cloud services used by your organisation.
All devices/software/firmware in scope (including BYOD) must be supported, and all controls applied.

Read the new Cyber Essentials: Requirements for IT Infrastructure v3 document for further information.

Changes to Password Requirements

There are also changes to the requirements for user passwords and use of 2-factor authentication (2FA).

From January 24th, all admin users for cloud services must have multi-factor authentication enabled, with this requirement applying to all standard user accounts when you recertify in 2023.

In the meantime, standard user accounts will need:

12 character passwords, or
8 character passwords when there is a control in place to ensure the passwords are complex (for example, contain special characters)

Declaring Devices and BYOD

The number of servers and end-user devices you have must be declared, the change here is that the make, model and operating system of the device must now also be declared. A common fault causing assessments to be sent back is that both edition and version numbers are required. This is not only for devices in your office, but now includes personal devices your employees use to access company data - normally referred to as Bring Your Own Device (BYOD).

All BYOD devices that access business data (this includes emails and cloud services) must be regarded as being in scope and therefore need to be fully declared. They must also have all the controls applied to them in the same way a corporate device would have. This includes contractor devices in a round about way. This is where is gets a little difficult. Technically contractor devices should be included in your supplier agreement which should define that contractor devices need to have Cyber Essentials controls applied to them or the contractors need to be certified under the Cyber Essentials scheme themselves. Your organisations Cyber Essentials controls applies to the accounts used by the contractors to access your organisations data. Many organisations simplify things by supplying their contractors with company devices. This might not be not option for you. Remember we're here to help and our supported package is designed to allow us the opportunity to feed back on any of your answers before your assessment is marked. This means that we can offer help and advice about the best way for your organisation to meet the standard.

Thin Clients

From 2023, all thin clients will need to be in support and receive security updates.

Home Workers

If you employ home workers and they use the router that was provided by their ISP, this will be seen as being out of scope. If you provide them with a router, configured by your business, then this will be in scope.

Home workers PC's must have the software firewall active on the device.

Routers & Firewalls

A non guessable password with a minimum of 8 characters and either 2FA or limited login to select users must be in place.

Cyber Essentials Plus 2022 Update

There are also some significant changes to the Cyber Essentials Plus testing and auditing process.

All critical and high vulnerabilities must be remediated regardless of the likelihood of attack.
All administrator accounts must have 2FA enabled, with this requirement being extended to standard users in 2023
Administrators must not work on a day-to-day basis with admin privileges.
For macOS and Linux devices there must be an account separation between the day to day user account and the admin account for the machine. User accounts part of a "sudo" user group are no longer compliant.

Remember we're here to help and our supported package is designed to give you a to-do list of things you need to do in order to achieve the standard.

If you still have questions or would like to discuss how the changes might effect your organisation please feel free to get in touch.