Cyber Essentials update for 2022

On 24 January 2022, the National Cyber Security Centre (NCSC) will introduce the biggest update to Cyber Essentials’ technical controls since its launch in 2014.

Cyber Essentials is the simple, government-backed, cyber certification scheme that helps organisations defend against common cyber threats and is often a requirement to work on UK Government contracts. It is being updated to reflect the evolving cyber threat and changing working patterns, in particular home and hybrid working which increased dramatically as a result of the pandemic (and seems very topical given the latest working from home guidance which came into force today).

As well as changes to reflect home working, the update includes revisions to the use of cloud services, multi-factor authentication, password management, security updates etc. Many of the changes are based on user and assessor feedback, or follow consultation with the Cloud Industry Forum.

While the new technical requirements will be officially launched in January, organisations which are currently undertaking a Cyber Essentials assessment can continue with the current standards and will have six months from the launch date to complete that assessment. All Cyber Essentials applications made on or after 24 January will apply the updated requirements, although there will be a grace period of up to 12 months for some requirements (to reflect extra effort that may be needed for some assessments against the new technical controls).

Why should I care?

The changes will be of interest to all organisations which are looking to ensure they are implementing basic controls to protect themselves against an evolving cyber risk. However, they will be of particular interest if you are an organisation which:

• is thinking about getting certified, for example if you are hoping to supply relevant services to UK government – getting your application in before the January deadline means you will be assessed using the current, not new, criteria;
• is currently Cyber Essentials certified - IASME, NCSC’s delivery partner for Cyber Essentials, confirms on its website that Cyber Essentials and Cyber Essentials Plus certifications expire after 12 months (i.e. they remove companies from the UK Government’s ‘certified organisations’ list if they have not been certified in the past year) and so renewals are likely to now take place under the new controls; or
• uses the scheme as part of your supply chain diligence or selection process - you should check going forward that your suppliers have updated their certifications when necessary to implement the new controls.

The NCSC has produced a set of FAQs and a list of Requirements which provide more information on the changes, and they are set to update their Cyber Essentials Readiness online tool which helps organisations prepare for certification. IASME has also produced a technical blog which discusses the reasoning behind the changes.