Cyber Essentials Myth Busting

Myth-busting Cyber Essentials

It’s been just over two years since the NCSC appointed IASME as the Cyber Essentials delivery partner. In that time we’ve made a number of changes to evolve the scheme including some key updates to the technical requirements. In April 2021 we added clarifications on the use of bring-your-own-device (BYOD), software firewalls and third-party accounts and in January 2022 we introduced cloud services, multi-factor authentication and home working. These changes represent the most substantial update to the scheme since its inception, however a lot of the feedback that the NCSC and IASME have received is on aspects that haven’t changed.

BYOD

All devices that access an applicant’s organisational data or services need to be included in the scope of the certification. This includes both corporately issued devices and BYOD. This has always been the case for Cyber Essentials and has not changed as a requirement in either the April 2021 or January 2022 update. The new scope diagram now includes BYOD to clarify this further and explains when BYOD can be treated as out of scope.

Legacy software

Software that is no longer in support needs to be removed from devices or removed from the scope of the certification by using a well-defined and separately managed sub-set. A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation. This is also not a new requirement, in the January 2022 update we added a new definition of ‘sub-set’ to assist using these in the scope of certifications.

Security Updates

The Security Update Management control stipulates three things in terms of applying updates within 14 days. These are:

  • The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
  • The update addresses vulnerabilities with a CVSS (Common Vulnerability Scoring System) v3 score of 7 or above
  • There are no details of the level of vulnerabilities the update fixes provided by the vendor

We did make some changes to this requirement in April 2021, adding the final bullet to clarify what is required of an applicant when a security update does not contain enough information to determine the criticality of that update. However, while 14 days has always been the timeframe expected to apply these updates, this does not mean an applicant has to apply everything in 14 days, just when one or more of the above three points apply.

Scoping

Deciding on the scope of a certification has always been a tricky process. Ideally, an applicant should include the whole of the IT infrastructure used to perform their business. However, we know this isn’t always possible which is why we included a new definition of a ‘sub-set’, allowing applicants to segregate if necessary. Regardless of the size of the scope, all applicants must include some end user devices, one of the changes we made in January 2022 was to include a statement saying that an application with no end user devices is no longer acceptable.

The introduction of cloud services has obviously increased the scope for a lot of organisations, if the applicant’s data or services are hosted in the cloud then these must now be included. As most cloud providers use a shared responsibility model, we have also used this approach as a guide to help applicants decide who typically implements the Cyber Essential technical controls within the cloud. However, the applicant is always ultimately responsible for ensuring the controls are implemented.