Cyber Essentials 2023 Changes
Cyber Essentials the UK cyber security certification is to be updated on 24th April 2023. This will mean new questions but existing certifications will still be valid within their 1-year period. The new deadline is a possible incentive for businesses thinking of renewing or initial certification to act before the new changes come into force. On the other hand the new criteria should better reflect the current security environment and hopefully (following feedback on the existing question set) be easier to give meaningful answers to. Indeed organisations with renewals coming up close to the deadline should consider pausing renewal until the new questions are in force.
Cyber Essentials is gained through payment of a fee and correct completion of an on-line questionnaire. The answers are marked by a human adjudicator and if not initially successful the examinee will receive written feedback and have a second (and final) chance to answer the questions again. Any organisation that has achieved Cyber Essentials in 2022 will be at an advantage because it is almost certain that some of the questions and answers will be exactly the same in 2023. Cyber Essentials is a worthwhile badge of the quality of an organisation’s network and computer security but it is not as rigorous as the Cyber Essentials Plus award which is judged by an inspection of cyber security rather than by answering a set of questions correctly although not necessarily truthfully.
The most important first step in working towards Cyber Essentials is to make sure that the systems in use by an organisation are covered (in scope). If they are not then the correct answer to some questions will be ‘not applicable’. This might mean that a fee is paid for a qualification that cannot be awarded. Kindus are able to advise on the finer points of Cyber Essentials requirements but as a very rough rule of thumb if there is no network sharing of corporate data in place then Cyber Essentials might not apply. An individual or group will almost certainly use the Internet for web based email and individual cloud storage but if none of the group shares data with others almost all the security infrastructure is set by the cloud providers. Where there is local control over who has access to shared data then Cyber Essentials will determine the standards that this control must meet.
IASME have outlined the new requirements and it appears that some criteria will be easier to achieve. For example only the make and model of router and firewall devices is required not the individual firmware versions. Where these devices are managed ‘out of house’ discovering the latest firmware could have been a tricky process. The full requirements for an acceptable infrastructure to meet the new standards have been detailed by the NCSC.
Before starting an assessment it is essential to decide what devices will be in or outside of scope. There is some flexibility in what part or locations of a business to include but some devices or systems are automatically in or outside of scope. Cloud services are in scope; Microsoft 365, Dropbox and Gmail are specifically named. Here it is the applicant that is held responsible for ensuring appropriate access controls and secure configurations.
For a good outline of the type of questions that Cyber Essentials will ask there is a self-assessment booklet. At the time of writing this still maps to the 2022 questions but many of the answers still apply and can be copied directly into the live on-line questionnaire. If these preparatory questions are hard to answer or seem difficult to apply then the full Cyber Essentials may not apply to the current scope or will be hard to achieve. Kindus can help out and advise here. Some questions are clearly leading and although it is tempting to input the answer that the examiner probably wants to see the qualification is pointless unless the examinee has taken steps to ensure that answers truthfully reflect the security procedures in use. As an example the questions will ask about the Multi-Factor Authentication procedures in use. This should be seen as a prompt to ensure that appropriate guidelines have been set and enforced.
Success in Cyber Essentials is not guaranteed even at the second attempt and it is unlikely that a fee will be refunded on failure. It is prudent to examine what might be asked and map that to the existing network security in use before paying any fee. Kindus can advise on how Cyber Essentials might or might not fit in with your computer security before any commitment.