Aztech-Welcome

The AZTech IT Blog

IT Industry News, tips and tricks and the latest AZTech IT news

A Guide To The 2022 Changes For The Cyber-Essentials Scheme.

Posted by Sean Houghton | 13-May-2022 10:00:00

Have you attempted to renew your Cyber Essentials accreditation this year and noticed some changes or more challenges?     

The Cyber Essentials scheme has been updated, and there are some important changes that you need to be aware of. The new requirements went into effect on January 24th 2022, and in this article, we will detail everything that you need to know in order to make sure your business or organisation is compliant.

We'll go over all the new requirements for Cyber Essentials and Cyber Essentials Plus, and explain what you need to do in order to achieve or retain certification.  

According to IASME, 15 changes were made in January 2022. Here is what to expect; 

-The scope of Cyber Essentials has been expanded to include more controls. 

-There are now five security principles: Identity, Boundary, Asset Management, Access Control and Cryptography. 

The 2022 update includes significant changes relating to  

  • Firewalls  
  • Remote / Homeworkers  
  • Cloud systems, including Software as a Service (SaaS) and Infrastructure as a Service (IaaS) 
  • Thin Clients  
  • Multifactor Authentication and Passwords  
  • Bring Your Own Device (BYOD) 
     

-The requirements for certification have also changed - you will now need to submit a self-assessment questionnaire (SAQ) and provide evidence to support your answers. 

-If you are certified under the old scheme, you will need to be recertified under the new scheme by January 2024 at the latest. 

-The price of certification has increased from £300 to £500 for Cyber Essentials and from £1500 to £2000 for Cyber Essentials Plus. 

So what do these changes mean for businesses and organisations? Let's take a closer look. 

CE is updating its technical controls, which cover five main areas to ensure best practice across: 

  1. Firewalls 
  2. Device configuration and passwords 
  3. User access controls and permissions 
  4. Endpoint malware protection 
  5. Software security updates

 Other areas include:  

  • Internet Gateways 
  • Secure Configuration 
  • User Access Control 
  • Malware Protection 
  • Patch Management. 

A closer look at the changes  

One of the most significant changes is the inclusion of new requirements for mobile devices. With more and more businesses using laptops, tablets and phones to access sensitive data, these devices must be adequately secured. The new Cyber Essentials requirements stipulate that all mobile devices have password or passcode protection and screen lock timeout settings. In addition, any device that can connect to your organisation's network must be encrypted, and you must have a policy in place for managing mobile devices. 

Passwords and Multifactor Authentication 

Another important change is the requirement for two-factor authentication ( also known as 'multi-factor authentication). This means that in addition to a username and password, users will need to provide another form of identification before they can access sensitive data. This could be a code that is sent to their mobile phone, or a fingerprint or iris scan. From January 24th 2022, all businesses and organisations that are certified under Cyber Essentials will need to have two-factor authentication in place for all administrator accounts and all standard user accounts by 2023 if they wish to recertify. Until then 12 character passwords are required or 8 characters where there is a control in place to deny bad passwords.  

Home Working Devices  

If your employees work from home, you'll need to make sure their devices are properly secured as well. The new Cyber Essentials requirements stipulate that all home working devices must have a password or passcode protection, as well as screen lock timeout settings. In addition, any device that can connect to your organisation's network must be encrypted, and you must have a policy in place for managing mobile devices. 

Cloud Services  

Cloud services including Software as a service (SAAS), Platform as a service (PaaS)and Infrastructure as a service (IAAS) are all now in scope.  

If your organisation uses any cloud services, you'll need to ensure that these are properly secured. The new Cyber Essentials requirements stipulate that all cloud services must have extra protection around passwords, having at least 8 charters with no maximum length. Multi-Factor Authentication must be used to access cloud services. You'll also need to have a policy in place for managing cloud services. 

For example, if you are running virtual machines from Microsoft Azure (AVD) or Amazon AWS you would need to ensure any high or critical patches are applied within 14 days of release. A firewall would need to be enabled and the password policy would need to meet the requirements of Cyber Essentials.  

Thin clients  

If your organisation uses thin clients, you'll need to ensure that these are properly secured. The new Cyber Essentials requirements stipulate that all thin clients must have extra protection around passwords, having at least 8 characters with no maximum length. Multi-Factor Authentication must be used to access thin clients. You'll also need to have a policy in place for managing thin clients. 

Asset Management  

You'll need to have an up-to-date inventory of all the devices and software that are connected to your network. This includes laptops, PCs, tablets, smartphones, printers, routers and any other devices that can connect to your network. You should also keep a record of all the installed software on these devices. 

Information you will be required to show include the model, type and operating system version. Any missing information may lead to pushback for further information or even a failure.  

In addition, you'll need to have a process in place for managing these assets. This should include procedures for adding new devices and software to your inventory, as well as removing old or unused devices and software.  

Access Control  

You'll need to have a process in place for granting access to sensitive data. This should include procedures for adding new users, as well as removing old or unused accounts 

Account Separation  

You'll need to have a process in place for separating user accounts. This should include procedures for adding new users and removing old or unused accounts. 

In order to meet the requirements of Cyber Essentials, you'll need to have at least two user accounts on each device that can access your organisation's network. One account should be used for administrative tasks, and the other account should be used for day-to-day tasks.  

You'll also need to have a process in place for managing these accounts. This should include procedures for adding new users, as well as removing old or unused accounts.  

Malware Protection  

You'll need to have a process in place for protecting your devices from malware. This should include procedures for scanning devices for malware, as well as removing any malware that is found. 

The new Cyber Essentials requirements stipulate that all devices must have extra protection against malware, including having at least two anti-malware products installed. These products must be updated on a regular basis, and scans must be run on a daily basis.  

Any devices that are found to be infected with malware must be removed from your network immediately.  

Patch Management  

You'll need to have a process in place for managing patches. This should include procedures for installing new patches, as well as testing and removing old or unused patches. 

The new Cyber Essentials requirements stipulate that all devices must have extra protection around patch management. This includes having a process in place for installing new patches within 14 days of release. In addition, you'll need to have a process in place for testing and removing old or unused patches.  

Physical Security  

You'll need to have a process in place for physical security. This should include procedures for securing your premises, as well as ensuring that only authorised personnel have access to sensitive data. 

The new Cyber Essentials requirements stipulate that all premises must be secured against unauthorised entry. This includes having security measures in places such as locks, alarms and CCTV. In addition, you'll need to ensure that only authorised personnel have access to sensitive data.  

Remote Working  

You'll need to have a process in place for remote working. This should include procedures for setting up new remote workers, as well as managing and removing old or unused accounts. 

In order to meet the requirements of Cyber Essentials, you'll need to ensure that all remote workers have a secure connection to your organisation's network or SAAS applications.  

Cyber Essentials Plus  

Cyber Essentials Plus is the next level up from Cyber Essentials and includes all of the requirements for Cyber Essentials, as well as additional protection. In order to achieve Cyber Essentials Plus, you'll need to undergo an independent assessment which will test your defences against a range of common cyber-attacks. This assessment will ensure that your organisation is taking all the necessary steps to protect itself against these attacks. 

How do I get started?  

If you're not already certified, you can apply for Cyber Essentials certification through the IASME website. You'll need to fill out an online self-assessment questionnaire, and once you've been approved, you'll be able to download your certificate.  

If you are not ready to certify or are still unsure where to start, engaging with a Managed Security Services Provider (MSSP) or cyber-security consultant for a pre-assessment service could be the best way forward for your organisation.  

There are a few things to keep in mind when applying for or to renew your Cyber Essentials certification. First, make sure that you have all the required documentation ready before starting the process. Second, if you're applying for Cyber Essentials Plus, you'll need to schedule an independent assessment with an accredited provider. And finally, remember that Cyber Essentials is only valid for one year - so make sure to renew your certification on time! 

If you would like any extra support, check out our free Cyber Security Assessment here!

 

Written by Sean Houghton

Commercial & Operations Director at Aztech

Subscribe to the Blog!

Free IT Healtch Check