News
Cyber Matrix

Cyber Essentials Question Set Changes – What Do You Need to Know?  

The Government approved Cyber Essentials scheme includes five technical controls that help protect organisations of all sizes from the majority of commodity cyber-attacks. The Cyber Essentials certification signals to customers, investors, and those in the supply chain that your organisation has put the Government approved minimum level of cyber security in place, reinforcing trust. 

The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security. At the start of the year, the NCSC published an updated set of requirements, version 3.1 for the Cyber Essentials scheme which came into force on the 24th April 2023. 

Any assessments that began before 24th April, will continue to use the requirements version 3.0 with the Evendine question set. This includes any assessment accounts created before 24th April.

The ‘Montpellier’ question is an update to the current ‘Evendine’ question set, the new questions do not see huge changes, however the Montpellier question works to consolidate and improve existing questions with an additional focus on the changes to business operations e.g. home working. The changes include: 

The definition of ‘Software’ has been updated to clarify where firmware is in scope.

Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware

As firewalls and routers are key security devices, their operating systems and keeping them up to date is extremely important from a security perspective.

Cyber Essentials requires that all applicants list their laptops, desktops, servers, computers, tablets, and mobile phones, with details of the make and operating system.

However, when it comes to firewalls and routers, the applicant will only be asked to list make and model, but not the specific version of the firmware. 

Asset management. 

Asset management isn’t a specific Cyber Essentials control, but it is a highly recommended core security function. 

Asset management is often referred to as a fundamental cyber hygiene practice that can help an organisation meet all of the five Cyber Essentials controls. Effective asset management will help track and control devices as they’re introduced into your business.

The requirements clarify that asset management doesn’t mean making lists or databases that are never used, it refers to creating, establishing, and maintaining authoritative and accurate information about your assets that enables both day-to-day operations and efficient decision making when you need it.

Many major security incidents are caused by organisations having unknown assets which are still active connected to the network.

By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.

Clarification on including third party devices.

All end user devices that your organisation owns or that are loaned to a third party must be included in the assessment scope. The aim is to answer the common questions about consultants, volunteers, and student devices. 

The devices of students that are not owned by the applicant organisation are not and have never been in scope.

The applicant organisation needs to demonstrate that they can apply the required controls via a combination of technical and written policy. 

‘Device unlocking’ section has been updated to reflect that some configuration can’t be altered because of vendor restrictions.

When the vendor doesn’t allow you to configure the above, use the vendor’s default setting.

An applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements. One example of this is locking the device after 10 failed sign-in attempts. 

Samsung, possibly the largest provider of smartphones in the world, have set their minimum sign-in attempts at 15, with no option to alter this number. In this instance, Cyber Essentials would require that the applicant goes with the minimum number sign-in attempts allowed by the device before locking.

An updated ‘Malware protection’ section.

You must make sure that all devices in scope have a malware protection mechanism active. 

If you use anti-malware software to protect your device, it must be configured to:

  • Be updated in line with vendor recommendations.
  • Prevent malware from running.
  • Prevent the execution of malicious code.
  • Prevent connections to malicious websites over the internet.

Application allow listing (option for all in scope devices).

Only approved applications, restricted by code signing, are allowed to execute on devices. You must:

  • Actively approve such applications before deploying them to devices.
  • Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature.

Information about how using a zero-trust architecture affects Cyber Essentials.

Zero trust architecture is designed to cope with the changing conditions, as business move to cloud-based platforms, reliance on SaaS and remote working. Zero trust architecture enables an improved user experience for remote access and data sharing. 

A zero-trust architecture is an approach to system design where inherent trust in the network is removed. Instead, the network is assumed hostile, and each access request is verified, based on an access policy. Confidence in a request is achieved by building context, which relies on strong authentication, authorisation, device health, and value of the data being accessed.

A number of style and language changes have been made to make the document more readable.

The requirements document has been updated in line with plain English and accessibility guidelines.

And finally, for consistency, the scheme requirements are now in the same order as the question set which is, firewalls, secure configuration, security update management, user access controls, and malware protection.

CyberCrowd are IASME approved certification bodies, for many organisations that we work with the certification can seem overwhelming, the new question set has not only addressed these challenges but allows for us to evolve best practise security alongside the threat landscape. 

We believe in a proactive approach to cyber security and the cyber essentials scheme helps to reinforce this. Similarly, we understand business challenges and as a result we tailor our approach specifically to each organisation providing as much or as little support as required.

If you would like to know more about how the scheme could benefit your organisation, are looking to be re-certified or if you would like to hear more about how CyberCrowd can help, please get in touch.