There are now references the Cyber Essentials requirements quoted throughout the assessment. Links are also provided to the Cyber Essentials Knowledge Hub set up by IASME to provide advice and guidance on scope, operating system support and the five controls of Cyber Essentials. The Knowledge Hub can be accessed at https://ce-knowledge-hub.iasme.co.uk/
The main changes to the questions are as follows:
A2.7.1 How many staff are home or remote workers – remote workers are now included to reflect changes to flexible working in the past five years and that they may be connecting using untrusted networks in hotels and cafes.
A2.8 Network Equipment – clarification has been made, confirming that firewalls and routers should be listed here. The notes field should also confirm that home and remote workers are using software firewalls as their boundary.
Section 4 Firewalls – the wording for several questions has been changed to provide greater clarity about managing firewalls, any services that are enabled and reviewing firewall rules regularly.
Section 6 Security Update Management – clarification has been given to confirm that configuration changes or registry fixes must be applied, if advised by the operating system or application as a solution to remediate a critical or high rated vulnerability.
Passwordless Authentication – logging in without using a password is now accepted as compliant in Cyber Essentials if it uses accepted methods of authentication such as, biometrics, security keys, tokens, one-time codes and push notifications. Passwordless authentication is now an option in the answers to the following questions,
A4.3 How is your firewall password configured
A5.5 Authentication of external services
A7.10 Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?
Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?
A7.4 Do you ensure that staff only have the privileges that they need to do their current job – for Cyber Essentials it is now a requirement that the principle of least privilege be applied.
The Cyber Essentials Plus assessment test specification is also being updated. Confirmation of the new specification is expected to be confirmed in January 2025. The planned changes are designed to provide a greater confidence in the Cyber Security posture of companies completing the certification and higher levels of assurance to their customers.
Find out more
We are an accredited Cyber Essentials Certification Body and have a 100% record of successfully certifying Companies for Cyber Essentials.
For more information please contact us on 0161 706 0244 or email info@cybersecurityspecialists.co.uk to speak with a member of the team.