Our customers tell us we’re genuinely different to other IT companies.
Get in touch today to find out more.
Or call us today on 01225 426 800
The National Center for Cyber Security (NCSC) has revealed that the technical requirements for Cyber Essentials are changing in April 2023.
The NCSC periodically reviews technical requirements for Cyber Essentials to ensure the scheme is effective in protecting UK organisations against cyber threats.
In 2022, there was a major update to Cyber Essentials. Therefore, the changes for 2023 are set to be much lighter and focus more on clarification.
In 2023, there are a handful of changes coming to Cyber Essentials which concern:
The below information has been taken from the NCSC website.
From April 2023, you will only be required to declare the make and OS of your user devices, with no need to list the model. This change will take effect within the self-assessment questions, rather than the requirements document.
All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.
More information and a new table that clarify how third-party devices, such as a contractor or student devices, should be treated in your application.
We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it is now acceptable for applicants to use those default settings.
Anti-malware software will no longer need to be signature-based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.
Several language and format changes have been made to make the document easier to read.
The technical controls have been reordered to align with the updated self-assessment question set.
The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.
These Cyber Essentials changes will take place from the 24th of April 2023. This means that any applications made on OR after this date will need to use the new requirements and questions set.
To ensure the certification remains relevant and up-to-date, feedback from accessors, applicants and the NCSC is regularly reviewed.
In addition to the changing requirements, IASME is producing more resources to help applicants understand the questions and certification process. Including a knowledge base, guides and articles.
These will become available over the coming months.
As a Cyber Essential Plus certified business, we work with IASME and can help you achieve your CE and CE+ certifications.
If you’re working towards your CE certification and need a helping hand, get in touch with us today via email@example.com or give us a call on 01225 426800.