• About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
Menu
  • About
  • Services
    • Penetration Testing
    • Vulnerability Assessment
    • Phishing & Training
    • Strategy & Maturity
    • Information Assurance
    • Cyber Essentials
  • Resources
  • British Data Awards
  • Contact
  • Get a Quote
  • 04.01.2022
  • | Jason Johnson
  • Tags: Cyber Essentials

Cyber Essentials Scheme 2022 Update Summary

The Cyber Essentials scheme is going through the biggest overhaul since its inception back in 2014. The newest update (named Evendine) goes live on the 24th January 2022 and heralds the arrival of a number of changes, including the increased coverage of cloud services, introduction of device locking requirements and new password criteria. Some of these changes go live immediately while others come with a grace period.

In this guide we’ll summarise the top 10 major changes that Evendine will deliver and highlight what organisations need to do to meet the requirements of the updated Cyber Essentials scheme.

 

Summarising the Scheme Changes

 

Clarity on Home-Worker Devices

The Cyber Essentials Standard has been updated to include clear definitions of what is, and isn’t, in scope concerning the devices of home workers:

  • Both BYOD and corporately owned devices that are used for business purposes within the home location will be in scope for Cyber Essentials.
  • Routers that are owned by home workers or provided by their internet service provider (ISP) are out of scope. In this case the devices of home workers on the network will need to have a software firewall configured (meeting the Cyber Essentials firewall controls).
  • Routers that are supplied by the applicant organisation will be in scope.
  • Where a home worker is using a corporate VPN (which tunnels all data in transit through the applicant organisation’s network perimeter firewall), the home worker’s device internet boundary will the applicant organisation’s network perimeter firewall.

 

SaaS and PaaS Cloud Services Now in Scope

Arguably the biggest change to the Cyber Essentials scheme this year is that the scope now encompasses Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) cloud solutions that host organisation data and/or services. Previously the scope only encompassed Infrastructure-as-a-Service (IaaS), which meant that the security of highly adopted cloud solutions such as Microsoft Office 365 and Google Workspace was not in scope.

Cloud services are not secure by default and the changes to the scheme insist that organisation’s take responsibility for the user access control and secure configuration of their services including:

  • Ensuring that the Cyber Essentials firewall requirements are sufficiently implemented.
  • Ensuring that access to administrator accounts and organisation resources are restricted only to users that require it to fulfil their role.
  • Ensuring that sufficient malware protections are in place.
  • Ensuring that the underlying infrastructure meets the Cyber Essentials security updates requirement.

 

Cloud Services Must Enable and Apply Multi-Factor Authentication

In addition to the requirements introduced above, multi-factor authentication (MFA) must be enabled on all cloud services where the option is available. Once enabled, the organisation must ensure that MFA is also applied to user accounts. Please note that this requirement only applies to administrator accounts currently but will also include non-admin user accounts as of January 2023. In summary, where a cloud service has the option for MFA:

  • All administrator user accounts must have MFA applied.
  • Non-administrator user accounts are not required to have MFA applied immediately but organisations should begin working towards ensuring that all user accounts have MFA enabled as the requirement for MFA will come into effect in January 2023.

 

Clarity on Scoping Thin Clients

Thin clients have been in scope under the Cyber Essentials scheme for a while, however, they were often overlooked as they weren’t explicitly mentioned in the questionnaire. The questionnaire now has a dedicated question to ascertain whether any thin clients now fall into scope. A thin client is a simple (low-performance) computer that has been optimised for establishing a remote connection with a server-based computing environment

Please note that there is a grace period for thin clients to be supported and receiving security updates and the requirement will be marked for compliance from January 2023.

 

Clarity on Scoping Mobile Devices

Evendine hasn’t changed the requirements for mobile devices but this update includes a clearer definition on when mobile devices are in scope. Mobile devices (smart phones and tablets) will be in scope where they connect to any organisation data or services (including access to emails).

Please note that mobile devices will fall out of scope where they are only used for one or more of the following purposes:

  • Native voice communications (Voice calls).
  • SMS (Text messages).
  • Multi-factor authentication (e.g. via text message or MFA applications).

 

Servers and Licensed/Supported Software Definitions Added

The Cyber Essentials Standard now clearly defines servers as well as licensed and supported software.

A server is defined by IASME/NCSC as ‘specific devices that provide organisational data or services to other devices as part of the business of the applicant.’

Licensed and supported software is now defined as ‘software that you have a legal right to use and that a vendor has committed to support by providing regular updates (patches). The vendor must provide the future date when they will stop providing updates. The vendor does not have to be the original creator of the software, but they must have the ability to modify the original software to create updates.’

 

‘Sub-Set’ Clearly Defined When Removing Devices from Scope

When completing the Cyber Essentials certification, the applicant organisation is able to outline a sub-set of the organisation that is in scope, allowing them to de-scope certain networks and devices. A sub-set is now clearly defined as ‘a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.’

Please note that only a sub-set of the organisation infrastructure that is clearly segregated as described above can be removed from scope. It is not possible to remove individual devices from scope unless they are encompassed within the de-scoped sub-set of an organisations infrastructure.

 

Device Locking Requirements Introduced

Device locking requirements have been introduced for devices whose services can be accessed physically (i.e. workstations and mobile devices) but only where the credentials used to log in are only used for that physical login. This means that workstations connected to Active Directory for example will have to follow the more robust password requirements (explained below).

Devices that fall under these locking requirements (predominantly mobile devices) will need to meet the following criteria:

  • Devices must be locked with either a biometric, password or PIN authentication mechanism (password/PIN needs to be at least 6 characters long) AND EITHER
  • The time the user must wait between failed login attempts increases with each subsequent incorrect attempt (permitting no more than 10 guesses in 5 minutes) OR
  • The user must be locked out of the device after no more than 10 unsuccessful attempts.

 

New Password and Multi-Factor Authentication Requirements

New password/MFA requirements have also been introduced to increase protection against brute-force password guessing attacks. When implementing password-based authentication one of the following protections needs to be implemented:

  • Using multi-factor authentication.
  • Throttling the rate of login attempts. The time the user must wait between failed login attempts increases with each subsequent incorrect attempt (permitting no more than 10 guesses in 5 minutes).
  • Locking the account after no more than 10 unsuccessful attempts.

 

In addition, one of the following technical controls must also be used to manage the quality of passwords:

  • Enforcing a minimum password length of at least 8 characters with no maximum length restrictions WHERE multi-factor authentication is in place for the service.
  • Enforcing a minimum password length of at least 8 characters with no maximum length restrictions WHERE passwords are automatically checked against a list of common passwords and prevented from being used.
  • Enforcing a minimum password length of at least 12 characters, with no maximum length restrictions.

 

Changes to the Classification of High/Critical-Risk Vulnerabilities

Applicant organisations are still required to apply updates for high and critical-risk vulnerabilities within 14 days of release, however, the scheme’s definition of high and critical-risk has been changed.

Previously the scheme required that vulnerabilities meet certain CVSS calculation parameters (in addition to the CVSSv3 severity score) to be classed as a high or critical-risk vulnerabilities. However, these parameters are no longer considered when determining whether a vulnerability is high/critical risk under the scheme.

As a result, all software updates need to be applied within 14 days of the update being released, where:

  • The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
  • The update addresses vulnerabilities with a CVSS v3 score of 7 or above
  • No detail about the vulnerabilities the update fixes is provided by the vendor

 

Predatech is a CREST accredited cyber security consultancy and Cyber Essentials/Cyber Essentials Plus Certification Body that offers fully supported, end-to-end certification. Please contact us if you’re interested in a free consultation.

Latest Posts

Blind SQL Injection Exploitation Using Burp Suite

Currently regarded as the one of the greatest risks to web application security (and listed in third place in the OWASP Top 10 for 2021),…
  • Jason Johnson|
  • 14.06.2022|
READ MORE
Cyber Essentials

250 Cyber Essentials Certificates Issued

We’re delighted to announce that Predatech has successfully issued two hundred and fifty Cyber Essentials & Cyber Essentials Plus certificates! Reaching this milestone so quickly…
  • Michael Fotis|
  • 07.06.2022|
READ MORE

British Data Awards 2022 Winners Announced

It’s been quite a year for our quest to discover and celebrate data success stories. With 158 nominations received, competition to be named a Finalist…
  • Michael Fotis|
  • 20.05.2022|
READ MORE

Blind SQL Injection Exploitation Using Burp Suite

Currently regarded as the one of the greatest risks to web application security (and listed in third place in the OWASP Top 10 for 2021),…
  • Jason Johnson|
  • 14.06.2022|
READ MORE
Cyber Essentials

250 Cyber Essentials Certificates Issued

We’re delighted to announce that Predatech has successfully issued two hundred and fifty Cyber Essentials & Cyber Essentials Plus certificates! Reaching this milestone so quickly…
  • Michael Fotis|
  • 07.06.2022|
READ MORE

British Data Awards 2022 Winners Announced

It’s been quite a year for our quest to discover and celebrate data success stories. With 158 nominations received, competition to be named a Finalist…
  • Michael Fotis|
  • 20.05.2022|
READ MORE

Securing Your Software Development Life Cycle

It’s been three decades since the advent of the World Wide Web and since then, web content has transformed from serving simple HTML files to…
  • Jason Johnson|
  • 22.04.2022|
READ MORE
SEE ALL ARTICLES
Quick Links
  • About Us
  • Resources
  • British Data Awards
  • Contact
Services
  • Penetration Testing
  • Vulnerability Assessment
  • Phishing Simulation & Training
  • Strategy & Maturity
  • Information Assurance
  • Cyber Essentials

Contact

  • [email protected]
  • 0161 706 0720

© 2021 Predatech Limited

Privacy Policy
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. Find out more by reading our Privacy Policy.
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.

SAVE & ACCEPT
Get a Quote
  • *