Cyber Essentials is Changing
On 23rd January, the NCSC published an updated set of requirements, version 3.1 for the Cyber Essentials scheme which will come into force on the 24th April 2023. The ‘Montpellier’ question set will replace Evendine.
Any assessments that began before 24th April, will continue to use the requirements version 3.0 with the Evendine question set. This includes any assessment accounts created before 24th April.
The changes to the scheme are as follows-
1. The definition of ‘software’ has been updated to clarify where firmware is in scope
Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware.
Why the change?
Firewall and router firmware is the operating system of those devices. As firewalls and routers are key security devices, their operating systems and whether they are kept up to date is extremely important from a security perspective.
2. Asset management is important in Cyber Essentials
In a similar vein to backing up data, asset management isn’t a specific Cyber Essentials control, but it is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.
Why ?
The requirements clarify that asset management doesn’t mean making lists or databases that are never used, it means creating, establishing and maintaining authoritative and accurate information about your assets that enables both day-to-day operations and efficient decision making when you need it.
3. Clarification on including third party devices
All end user devices that your organisation owns and that are loaned to a third party must be included in the assessment scope. A new table is included for clarity on this subject -
Why?
The new table gives clarity on which third party devices are in scope for Cyber Essentials. It aims to answer the common questions about consultants, volunteers, and the much disputed, student devices. When the third-party device has a green tick, it is in scope and the applicant organisation needs to demonstrate that they can apply the required controls via a combination of technical and written policy.
4. ‘Device unlocking’ section has been updated to reflect that some configuration can’t be altered because of vendor restrictions
When the vendor doesn’t allow you to configure the above, use the vendor’s default setting.
Why?
Sometimes, an applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements.
5. An updated ‘Malware protection’ section
You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below. In most modern products these options are built into the software supplied.
If you use anti-malware software to protect your device, it must be configured to:
Be updated in line with vendor recommendations.
Prevent malware from running.
Prevent the execution of malicious code.
Prevent connections to malicious websites over the internet.
Application allow listing (option for all in scope devices).
Only approved applications, restricted by code signing, are allowed to execute on devices.
You must:
Actively approve such applications before deploying them to devices
Maintain a current list of approved applications, users must not be able to install any application that is unsig