The Cyber Essentials (CE) scheme has now been running for a number of years and on January 24th 2022 the scheme will get a major and much-needed update to its requirements and scope with a new question set, named 'Evendine'.

The aim of this blog post is to give you a summary of the changes so that you know what to expect if you commence the self-assessment after January 24th. If you are new to CE then this blog post will bring you up to speed on the scheme to date.

Firstly, let’s run through the mandatory requirements of CE:

1. All OS versions and their associated devices must be appropriately licensed and supported.

2. All Critical and High Importance security updates must be applied with 14 days of their release.

3. All questions on the self-assessment must be answered

4. The self-assessment must be signed by an appropriate senior leader within your business (typically board-level)

What is in scope today?

It's important to understand the devices that must be included in the scope of an assessment, the criteria below outline what must be considered in-scope:

The first requirement is around internet connectivity, if the device is not connected to the internet and is isolated via the use of a network sub-set (see below) then it can be considered out of scope for CE.

Otherwise, the requirements apply to all the devices and software that are within the boundary scope and that meet any of these conditions:

• can accept incoming network connections from untrusted Internet-connected hosts;

  or

• can establish user-initiated outbound connections to devices via the Internet;

  or

• control the flow of data between any of the above devices and the Internet.

• All applications must include some End User Devices (EUD) in the scope

In addition to the above, for devices to be included in scope then the following must also apply - if you have internet-connected devices that are not used in the manner described below they do not fall within the scope of CE.

Devices that are accessing the corporate network OR accessing or holding organisational/business data including but not limited to:

• Emails

• Office documents

• Databases

• Financial data

• etc

Devices that access organisational/business services include, but not limited to:

• Cloud apps / services

• User interactive desktops

• MDM Solutions & Containers

• MS365, Google Workspace

• Citrix Desktop

• VDI Solutions

• RDP Desktop

NB: Devices that are used exclusively for 2-Factor authentication (2FA) are not included in scope if they access no other organisational service or data. Additionally, devices used only for native voice or note applications can also be considered out of scope.

One of the items that I still see frequently is the use of unsupported OS versions such as Windows 7 or Server 2008 R2. At the moment these items have been marked out of scope by adding explicit dent firewall rules to prevent them from accessing the internet. It has been decided that this is no longer sufficient and moving forwards it will be necessary to completely isolate these devices on a network segment that is not connected to the internet - the term of such a network segment moving forwards will be a 'sub-set'.

• A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.

Changes to the scope of CE

Boundary of scope

The first significant change to be aware of is the scope of the assessment, the green box in the diagram below summarises where the boundary now lies in regards to what is and what is not considered in scope:

The notable points in this diagram, aside from the fact that it provides clarity to the boundary of the scope; ISP provided home routers are no longer in scope and Cloud Services that were previously not in scope, now are.

Home devices

Home devices not being in-scope is a huge help to many organisations who now have many users working from home using IT infrastructure that the organisation cannot control.

Cloud Services

The addition of cloud services is also a good thing. Whilst it increases the complexity of the self-assessment for you, it also ensures that you are adopting best practices in the cloud as well as on-prem.

Understanding the different types of cloud services is the first step, the National Centre for Cyber Security (NCSC) has put together a great selection of articles aimed at doing just that, see the links below for more information:

• Cloud Security

• Software as a Service (SaaS)

With the new question set, it is important to note that applicants must be seen to be taking responsibility to ensure they have configured their cloud services in a secure manner and not simply assuming that the various services are secure.

A key component of that is enabling Multi-Factor Authentication (MFA) for all of your cloud user and administrator accounts.

The graphic below aims to provide a very rough guide as to where responsibility will reside for the management of security in cloud services:

Managed Services

For organisations that rely on 3rd party managed services to maintain and administer their environment or elements therein, details of exactly what is being managed must be supplied together with an attestation from the managed service provider that CE requirements are being met.

Web applications

Clarity has been added with regards to web applications, what is and isn’t now considered in scope is detailed below:

• Commercially developed - In scope

• Custom components – out of scope

• Bespoke web applications – out of scope

Home working

Requirements for home working documented.

• All corporate or BYOD home working devices are in scope.

• ISP supplied Home routers are out of scope.

• Home users by default will rely on the Software Firewall

• A router supplied by the applicant's company for use at home is in scope.

• The use of a corporate VPN transfers the boundary to the corporate firewall.

Device locking requirements added

New requirements have been added to the existing Secure Configuration section of the assessment to define acceptable mechanisms to lock and unlock devices:

• Device Locking by Pin numbers, Biometrics and Passwords

• If credentials are solely to unlock a device a minimum password or PIN length of at least 6 characters must be used

• When the credentials could also be used elsewhere then the full password requirements in "user access control" must be applied.

  NB: This requirement applies to shared authentication platforms.

Other self-assessment changes to note

New Password section

The questions relating to passwords that were previously included under the Secure Config section have been moved to their own section now.

New INFORMATION ONLY Backups section added

A section has been added the the self-assessment that is aimed purely at raising awareness to applicants. It is for information only in this version of the assessment and is not an area that is marked or contributes to a Pass/Fail. It has been added in line with the NCSC's other initiatives such as Cyber Aware.

New INFORMATION ONLY Thin Client Question added

A new question has been added regarding the use of ThinClients, their OS and their support status. At the moment this is again information only and will not contribute to the marking, however expect to see this as a formal requirement in January 2023.

Cyber Essentials Plus Changes

Two additional tests have been added to the CE+ audit:

• Additional Test 6 —Test to confirm account separation between user and admin accounts.

• Additional Test 7 —Test to confirm MFA is in applied to cloud services and user/admin accounts declared in the CE self-assessment.

If you would like to discuss these changes in more detail or want to become Cyber Essentials certified, contact our experts today.