January 2022 updates to the Cyber Essentials scheme

Like many of our clients, Cydea has achieved the UK government-backed scheme to help organisation protect themselves from common cyber threats.

The scheme was launched in 2014 and a lot has changed since then. Not least in the last eighteen-or-so months: cloud services and SaaS apps are far more common, as is working from home (by choice, or necessity). This week the National Cyber Security Centre and IASME, their delivery partner, announced the first changes to the requirements of the scheme since it was launched. These are important updates to bring the scheme in-line with the way that modern organisations operate. (We’ve struggled previously with how to demonstrate our own compliance, against the scheme!)

There are few main changes that we agree with, but think that they may catch some organisations out. Especially if your recertification is early in 2022 as the new requirements come into force on 24th January 2022 and that doesn’t give you very long!

These are:

1. Homeworking devices are in scope (excluding personal broadband routers)
2. All cloud services are now in scope with multi-factor authentication expected, where available.
3. A new definition of ‘licensed and supported’ software as part of patch management, with high and critical updates applied within 14 days, and unsupported software to be removed

Multi-factor authentication applies immediately for cloud administrator accounts (hopefully already enabled!) while there is a 12-month grace period for implementation on all user accounts.

All software that falls outside the definition of ‘licensed and supported’ is expected to be moved into its own ‘sub-set’ or zone, without internet access, by January 2023 in order to maintain compliance.

You can find out more about the changes on the NCSC and IASME websites:

• NCSC - Update to the Cyber Essentials technical controls
• IASME - The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today’s digital environment

Cydea can help with your Cyber Essentials certification, navigating the changing technical requirements, and with continuous compliance monitoring.

If you need help with your own Cyber Essentials programme, or are interested in our Compliance-as-a-Service solution then you can find out more or get in touch.