What are the latest Cyber Essentials technical requirements

The National Cyber Security Centre (NCSC) and its Cyber Essentials delivery partner IASME have updated the technical requirements for Cyber Essentials in April 2023. This update is part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.

The 2023 update will be lighter touch, providing a number of clarifications, alongside some important new guidance.

This includes:

User devices:

With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. The model of the device is no longer required.

Firmware:

All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. However, following feedback that this information can be difficult to find, the NCSC is changing this to include just router and firewall firmware.

Third party devices:

More information and a new table have been added to clarify how third-party devices, such as contractor or student devices, should be treated in applications.

Device unlocking:

The NCSC has made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.

Malware protection:

Anti-malware software will no longer need to be signature based and the NCSC has clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.

New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.

Style and language:

Several language and format changes have been made to make the document easier to read.

Structure updated:

The technical controls have been reordered to align with the updated self-assessment question set.

CE+ testing:

The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.

The latest update (version 3.1) will take effect from 24 April 2023.

This means all applications started on or after this date will use the new requirements and question set. For more information, please see this IASME blog which provides more details on the changes. An updated set of FAQs is also available on the NCSC website: Cyber Essentials technical requirements updated for April… – NCSC.GOV.UKCyber Essentials technical requirements updated for April… – NCSC.GOV.UK

Start your Cyber Essentials journey here with the assistance of our in-house CE services