Cyber Essentials: Some big changes made in 2022

Posted by on 7th March 2023

In January, the NCSC announced an update of the Cyber Essentials technical controls. This move was part of a regular review of the scheme to ensure it keeps evolving as the threat landscape and technologies change.

That update was the biggest overhaul of the scheme’s technical controls since its launch in 2014. For this reason, NCSC recognised that some organisations might need to make extra efforts when assessed against the new standards, so a grace period of up to 12 months was offered for three of the requirements :

  • any thin clients included in the scope of certification must be supported and receiving security updates
  • all unsupported software is either removed or segregated from scope via a sub-set
  • all user accounts on cloud services are protected by multi-factor authentication (MFA)

“This grace period was due to end in January 2023. However, the decision has now been made to extend this grace period for a further three months until April 2023. This will coincide with the next, light touch, update to Cyber Essentials’ technical requirements.” source NCSC

The core technical controls and the philosophy behind Cyber Essentials didn’t fundamentally change. Getting the basics right on firewalls, secure settings, access control, malware protection and updates is, says the National Cyber Security Centre, still an ‘essential’ foundation of cyber security. When applied correctly, these technical controls help UK organisations meet a basic standard of cyber security.

The changes made were mostly about clarifying and emphasising things which have always been part of the certification, but were often misinterpreted or overlooked. This was mostly about reflecting the impact of digital transformation, such as the wide take-up of cloud services, and the impact of more hybrid working.

In light of the increase in Hybrid working the section on BYOD (Bring your own device) has been extended, as has the section on Legacy software.  Software update timeframes have had clarification and starting in April 2023 multifactor authentication will be required on Cloud services.

“Despite the challenges and substantial changes to the Cyber Essentials certification  once again, we have passed the Cyber Essentials certification without any issues raised.  Staff worked with a new security partner to ensure that we have all the practices and processes in place to be compliant with the new requirements.  All the hard work put in by our teams that work on keeping our services secure has been recognised and a new certificate has been awarded.  The implementation of our service  passes the higher standards required for service providers in 2023. Chris Johnson, Data Protection and Compliance Manager, February  2023


However we’re not resting on our laurels as, from April 2023, an update to the Cyber Essentials technical requirements will be released, focussing largely on a series of clarifications. It will also include important new guidance on Firmware, Third party Devices, Device unlocking, Malware protection and zero trust architecture

Clients can be reassured that Welfare Call’s team of specialists continue to track these requirement changes and use proven best practices and tested security processes to ensure that the services remain secure.

The Cyber Essentials certificate provides independent assurance that Welfare Call Ltd have the protections correctly in place to handle the sensitive data that is the deliverable element of our services. You can use the National Cyber Security Centre Cyber Essentials accredited list to independently confirm our status or that of any other company you are considering buying services from.