As of 24th April 2023, an updated set of Cyber Essentials requirements (version 3.1 published by NCSC on the 23rd January) will come into force. These changes apply to those who undertake the Cyber Essentials self assessment on or after the 24th April 2023. If you've recently renewed, then you do not need to do anything, but you may want to review the changes to prepare for next year's assessment.
Definition of 'software'
The definition of ‘software’ has been updated to clarify where firmware is in scope. Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware.
Asset management
Asset management is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised. Many major security incidents are caused by organisations having assets which are still connected to the network, when that organisation is not aware the asset is still active. Creating, establishing, and maintaining authoritative and accurate information about assets enables both day-to-day operations and efficient decision making. Effective asset management will help track and control devices as they’re introduced into your business. The NCSC has comprehensive guidance for organisations on asset management.
Information link
A link has been added to the NCSC's BYOD guidance for further information.
Clarification on third party devices
Clarification on including third party devices. All end user devices that your organisation owns and that are loaned to a third party must be included in the assessment scope. The new table gives clarity on which third party devices are in scope for Cyber Essentials. It aims to answer the common questions about consultants, volunteers, and the much disputed, student devices. Table on the next page shows what is included in scope.
Device unlocking section updates
When the vendor doesn’t allow you to configure the device unlocking, use the vendor’s default setting. For example, Samsung have set their minimum sign-in attempts at 15, with no option to alter this number, in this instance Cyber Essentials would require that the applicant goes with the minimum number sign-in attempts allowed by the device before locking.
Updated 'malware protection' section'
You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below. In most modern products these options are built into the software supplied. Alternatively, you can purchase products from a third-party provider. In all cases the software must be active, kept up to date in accordance with the vendors instructions, and configured to work as detailed below:
Anti-malware software (option for in scope devices running Windows or MacOS including servers, desktop computers, laptop computers) must be configured to:
- Be updated in line with vendor recommendations
- Prevent malware from running
- Prevent the execution of malicious code
- Prevent connections to malicious websites over the internet
Application allow listing (option for all in scope devices) only approved applications, restricted by code signing, are allowed to execute on devices.
You must:
- Actively approve such applications before deploying them to devices
- Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature
Zero-trust architecture
Network architecture is changing. More services are moving to the cloud and use of Software as a Service (SaaS) continues to grow. At the same time, many organisations are embracing flexible working, which means lots of different device types may connect to your systems from many locations. It’s also increasingly common for organisations to share data with their partners and guest users, which requires more granular access control policies.
Zero trust architecture is designed to cope with these changing conditions by enabling an improved user experience for remote access and data sharing. NCSC and IASME have considered the alignment of Cyber Essentials with the zero trust architecture models. We are confident that implementing the Cyber Essentials technical controls does not prevent you from using a zero trust architecture as defined by the NCSC guidance.
For further information please follow the link to the IASME article.