The National Cyber Security Centre (NCSC) has announced that Cyber Essentials version 3.1 will replace the current version on 24th April 2023. As part of the update, the Evendine set of questions will be replaced by the Montpellier set.
All assessments that began before 24th April 2023 will continue to use version 3.0 of the requirements with the Evendine set of questions. This includes any accounts created before that date.
The new requirements bring some significant changes to the scheme, including:
Clarification on Third-Party Devices
All end-user devices owned by an organisation that are loaned to a third party must be included in the assessment scope. A new table has been created to clarify which third-party devices are in scope for Cyber Essentials. This aims to answer common questions about consultants, volunteers and other devices.
Expanded Definition of Software
The definition of software has been updated to include firmware as part of the scope. This means that operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software, and firewall and router firmware are now included.
Importance of Asset Management
Although asset management is not a specific control in Cyber Essentials, it is an essential part of good security practice. The new requirements emphasise the importance of good asset management and clarify what it means. It is not just about making lists or databases that are never used, but rather creating, establishing and maintaining accurate and authoritative information about assets that enable efficient decision-making when needed.
The section on device unlocking has been updated to reflect that some configuration cannot be altered due to vendor restrictions. In this case, the vendor’s default setting should be used.
Updated Malware Protection Section
The requirements for malware protection have been updated to ensure that a malware protection mechanism is active on all devices in scope. The new requirements recommend using approved applications restricted by code signing to prevent malware from running, execution of malicious code, and connections to malicious websites over the internet.
The new requirements provide information on how using a zero-trust architecture affects Cyber Essentials. Cyber Essentials technical controls can be implemented while using a zero-trust architecture as defined by the NCSC guidance.
The CE+ illustrative specification document has been updated to reflect the new changes, particularly with regards to malware protection tests.
These changes reflect the evolving threat landscape and the need for organisations to stay vigilant and take a proactive approach to cybersecurity. By adhering to the updated Cyber Essentials requirements, businesses can ensure that their systems and devices are protected against the latest threats.
Ingenio Technologies is a Brighton Cyber Essentials expert here to help businesses stay on top of these important Cyber Essentials changes. Our team of Sussex Cyber Essentials experts can provide guidance on how to implement the new requirements and ensure that your systems and devices are properly secured against cyber threats. Don’t wait until it’s too late – get in touch with us today to learn more about how we can help protect your business. Call 01273806211 or email [email protected].