Cyber Essentials 2023 Changes

Cyber Essentials the UK cyber security certification is to be updated on 24th April 2023.  This will mean new questions but existing certifications will still be valid within their 1-year period. The new deadline is a possible incentive for businesses thinking of renewing or initial certification to act before the new changes come into force.  On the other hand the new criteria should better reflect the current security environment and hopefully (following feedback on the existing question set) be easier to give meaningful answers to. Indeed organisations with renewals coming up close to the deadline should consider pausing renewal until the new questions are in force.

Cyber Essentials is gained through payment of a fee and correct completion of an on-line questionnaire.  The answers are marked by a human adjudicator and if not initially successful the examinee will receive written feedback and have a second (and final) chance to answer the questions again.  Any organisation that has achieved Cyber Essentials in 2022 will be at an advantage because it is almost certain that some of the questions and answers will be exactly the same in 2023.  Cyber Essentials is a worthwhile badge of the quality of an organisation’s network and computer security but it is not as rigorous as the Cyber Essentials Plus award which is judged by an inspection of cyber security rather than by answering a set of questions correctly although not necessarily truthfully.

The most important first step in working towards Cyber Essentials is to make sure that the systems in use by an organisation are covered (in scope).  If they are not then the correct answer to some questions will be ‘not applicable’.  This might mean that a fee is paid for a qualification that cannot be awarded.  Kindus are able to advise on the finer points of Cyber Essentials requirements but as a very rough rule of thumb if there is no network sharing of corporate data in place then Cyber Essentials might not apply.  An individual or group will almost certainly use the Internet for web based email and individual cloud storage but if none of the group shares data with others almost all the security infrastructure is set by the cloud providers.  Where there is local control over who has access to shared data then Cyber Essentials will determine the standards that this control must meet.

IASME have outlined the new requirements and it appears that some criteria will be easier to achieve.  For example only the make and model of router and firewall devices is required not the individual firmware versions. Where these devices are managed ‘out of house’ discovering the latest firmware could have been a tricky process. The full requirements for an acceptable infrastructure to meet the new standards have been detailed by the NCSC.

Before starting an assessment it is essential to decide what devices will be in or outside of scope.  There is some flexibility in what part or locations of a business to include but some devices or systems are automatically in or outside of scope.  Cloud services are in scope; Microsoft 365, Dropbox and Gmail are specifically named.  Here it is the applicant that is held responsible for ensuring appropriate access controls and secure configurations.

For a good outline of the type of questions that Cyber Essentials will ask there is a self-assessment booklet.  At the time of writing this still maps to the 2022 questions but many of the answers still apply and can be copied directly into the live on-line questionnaire. If these preparatory questions are hard to answer or seem difficult to apply then the full Cyber Essentials may not apply to the current scope or will be hard to achieve.  Kindus can help out and advise here.  Some questions are clearly leading and although it is tempting to input the answer that the examiner probably wants to see the qualification is pointless unless the examinee has taken steps to ensure that answers truthfully reflect the security procedures in use.  As an example the questions will ask about the Multi-Factor Authentication procedures in use.  This should be seen as a prompt to ensure that appropriate guidelines have been set and enforced.

Success in Cyber Essentials is not guaranteed even at the second attempt and it is unlikely that a fee will be refunded on failure. It is prudent to examine what might be asked and map that to the existing network security in use before paying any fee. Kindus can advise on how Cyber Essentials might or might not fit in with your computer security before any commitment.

More from Security

13/05/2024

eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post

08/05/2024

Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post

23/04/2024

UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post

25/03/2024

Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories