A Guide to Cyber Essentials Requirement Changes

• New guidance unveiled in January comes into effect on 24th April, 2023
• Definition of software expanded to include firmware
• New guidance on third party devices, malware and asset management
• Certification in progress bound by last year’s regulations

To make sure that the Government continues to help UK organisations guard against cyber threats, it carries out a regular review of its flagship Cyber Essentials scheme. April sees the release of Version 3.1, known as Montpellier. Its predecessor, Evendine, was the largest change since the scheme was set up in 2014.

Here’s what you need to know about the revised scheme. If you want to skip straight to the costs, check out our guide here.

Why is the scheme being changed?

The changes are made to reflect shifts in human behaviour and developments in technology, which may create new vulnerabilities that can be exploited – for example, the rapid shift to cloud computing, and bring your own device (BYOD). 

These changes are based on feedback from applicants, assessors, and technical experts from the National Cyber Security Centre (NCSC).

How big are the changes?

The changes can be grouped into two: updating the guidance on technical and non-mandatory controls, and ways to make the scheme more practical and easier to manage. This means there are some additions in scope, some relaxations in scope, and some new policies, including a new set of questions.

We’ve listed the key changes below.

• User devices. User devices within the scope of the certification require their make and operating system to be listed. This does not apply to network devices, such as firewalls and routers. However, the requirement for the applicant to list the model of the device has been removed. The self-assessment question set, not the requirements document, will reflect this change.
• Third-party devices. There is new information on how third-party devices should be treated, including students and contractors. Further advice has also been given to help clear up confusion around bring your own devices (BYOD). User-owned devices that access organisational data or services are now in scope, but devices using native voice or text applications, or multi-factor authentication (MFA) are not.For a better idea of how the changes will work in practice, check out the table, below.

• Firmware. All firmware is defined as ‘software’, so must be up to date and supported. The NCSC has said it has received feedback that this information can be hard to find, so has changed the requirement to just router and firewall firmware.
• Device unlocking. With some default settings in devices being unconfigurable – for example, the number of unsuccessful login attempts before locking – applicants can now use those.
• Malware protection. Anti-malware software will no longer have to be signature based, while sandboxing is no longer an option. A malware protection mechanism suitable for different device types has been specified, and must be kept active and up to date.
• Cyber Essentials Plus updates. To reflect the changes, the Illustrative Test Specification document has been updated. The biggest, the NCSC says, is a refreshed set of Malware Protection tests to simplify the process for applicants and assessors.

What else is new?

There are a raft of further changes to bring the guidance into line with recent shifts in technology and customer usage, most notably the move to zero trust architecture, as more services move to the cloud and Software as a Service (SaaS) solutions. This includes comprehensive guidance on asset management, though this is not a compulsory requirement. The scheme requirements will now follow the same order as the question set, which is:

1. Firewalls
2. Secure configuration
3. Security update management
4. User access controls
5. Malware protection

What if I start my cyber essentials assessment before 24th April, but haven’t finished by this date?

Don’t worry. All applications started before this date will use the 2022 requirements and question set. This includes accounts that were created before 24th April. You have six months to complete your assessment, and further three months to complete Cyber Essentials Plus.

In any case, it makes sense to familiarise yourself – and comply with – as many of the new provisions as possible, as soon as you can.

What’s the grace period for the new scheme, and what happens when the current grace period ends?

There isn’t a grace period with Montpellier, because the requirement changes are not significant, the NCSC says. The existing grace period for some of the requirements from the 2022 update will end on 24th April. You can learn more about that here. It’s worth noting though that on this date it will become a requirement for Cyber Essentials that all:

• Cloud-based user accounts are protected by multi-factor authentication
• All thin clients in scope are supported and receiving security updates
• Unsupported software is segregated or removed from scope via a sub-set

How do I find out more?

For more details on the Cyber Essential scheme, including its requirements and coverage, see our guide, here. There’s also FAQs available on the NCSC website, help for applicants during the certification process via IASME, and more links below.

• From Cyber Essentials costs to renewals, take a look at the commonly asked questions regarding the Cyber Essentials scheme here.
• The benefits of Cyber Essentials and Cyber Essentials Plus explained.
• How much does Cyber Essentials certification cost in 2023?