Changes to Cyber Essentials and Cyber Essentials Plus require urgent action...
The NCSC and IASME have released a significant update to the Cyber Essentials and Cyber Essentials Plus standards, which will take effect as of January 24th 2022. Cyber Essentials and Cyber Essentials Plus are UK certification schemes that help you protect your organisation against security threats.
These changes are intended to both align with the latest information security best practices and react to the mass adoption of cloud services and home working over the last two years. We’ve pulled together the key changes, including new pricing, and certification strategy options below.
The most impactful changes can be summarised as follows:
- All Cloud services used by your organisation need Multi-Factor Authentication enforced on all administrator accounts
- Patches requiring configuration changes must be applied
- Stronger password requirements
- Home worker-owned routers and firewalls are no longer in-scope
- Mobile devices need a PIN of at least 6 characters
Cyber Essentials Plus
- Authenticated patch assessment pass/fail criteria will change to address the new patch management requirements
- Two new audit tests are being added
For Cyber Essentials, certification fees will now be priced on a tiered model:
- Micro Organisations (0-9 employees) - £300 + VAT
- Small Organisations (10-49 employees) - £400 + VAT
- Medium Organisations (50-249 employees) - £450 + VAT
- Large Organisations (249+ employees) - £500 + VAT
To provide a grace period of implementation, Cyber Essentials submissions started before January 24th will be honoured for 6 months, allowing you time to comply with the new standard.
Additionally, organisations awarded with the previous Cyber Essentials standard will be audited against the previous Cyber Essentials Plus standard version, as long as this is done within 3 months of achieving Cyber Essentials.
Therefore, due to the changes and the 6 month grace period for any submission started before January 24th, we identify two potential strategies for ongoing certification efforts:
Strategy 1 - Adopt the new standard and proceed with normal certification/recertification timelines (Strongly Advised)
Strategy 2 - Start recertification before January 24th to be certified against the old standards (Not advised)
The changes to this certification are detailed and complex, therefore, we understand you may have questions or need some guidance. We will be hosting webinars on this topic in January, please take a look at our events page to find the next one.
Alternatively, please contact our Cyber team today to discuss this further.