Changes to Cyber Essentials requirements announced

IASME, the National Cyber Security Centre’s (NCSC) Cyber Essentials partner, has announced changes to the current Cyber Essentials requirements and assessment questions.

The changes will come into effect from 26^th April 2021, and are designed to ensure the controls remain current following consultation with the NCSC and feedback from certified Cyber Essentials customers.

What are the changes to Cyber Essentials?

From 26^th April you will see the following:

• There are new definitions for corporate virtual private network (VPN), organisational data and organisational services.  These definitions will help when applying the requirements for Bring Your Own Device (BYOD).
• An update to the Bring Your Own Device (BYOD) requirement to explain what is out of scope.
• Clarification when/where software firewalls are acceptable as the internet boundary.
• The name of the patch management control has been changed to security update management.
• An update to the security update management control. This will include automatic updates where possible and clarify the position on updates that do not include details of the level of vulnerabilities that the respective update fixes.
• User access control has been expanded to include third party accounts that have access to the certifying organisation’s data and services.
• Some of the questions have been expanded to clarify what information needs to be submitted as part of the assessment.

More details about the changes to the Requirements can be found in the blog here.

READ: Why Cyber Essentials should be the first step on your cyber security journey 

What do I need to do now?

The Cyber Essentials assessment questions will change for all assessment accounts created on or after 26th April. The questions are worded differently and there are some additional questions that help clarify the information and reflect the changes detailed above. You can see both question sets (the current one v11c, and the one from 26th April vBeacon) on the IASME website.

If you have been working offline on the current question set (v11c), you will need to submit your application for an assessment before 26th April to get the same questions that you are currently working on. If you submit on or after the 26th April, you will the revised questions (vBeacon). If you would like the assessment questions to reflect those you are already working on, then you must apply and pay before 26th April.

If you have already applied and paid for your assessment you will not see any changes to the question set on the online assessment platform and you will not need to pay again.

The controls have not changed significantly but they have been updated to provide more clarity, explains IASME. All IASME certification bodies have received the updated training and will continue to provide support after 26^th April.

Further changes are also expected to be published and implemented later in the year.

Subscribe to the IFSEC Insider weekly newsletters

Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.

Sign up now!

Subscribe to the newsletter ✉️