Cyber Essentials certification – a guide to the 2022 update

Cyber Essentials and Cyber Essentials Plus are changing in 2022. New infrastructure requirements and amendments to technical controls announced by the National Cyber Security Centre (NCSC) come into force on January 24, 2022. If your organisation requires Cyber Essentials certification, you need to know what the 2022 update means and how it affects certification.

Our guide to the 2022 updates to Cyber Essentials certification covers both Cyber Essentials and Cyber Essentials Plus. It outlines the main changes to the scheme’s technical controls and what they mean to your organisations. It’s an essential read for any organisation looking to become certified or work as a supplier to organisations such as the Ministry of Defence (MoD) and the National Health Service (NHS).

Our Cyber Essentials 2022 guide details:

• Summary of the key 2022 changes
• What Cyber Essentials is
• Main changes such as BYOD (Bring Your Own Device) and home workers
• Cyber Essentials Plus changes.

What is Cyber Essentials?

Cyber Essentials launched in June 2014 and is a globally recognised IT standard developed by the NCSC.

It was created to ensure cyber security standards were applied to suppliers and organisations handling, storing and sharing sensitive data. It is used to help organisations build a robust infrastructure designed to minimise cyberattacks, such as from hackers and through malware attack methods such as ransomware. More than 30,000 certificates have been issued to organisations.

It covers five essential cyber security controls, including boundary firewalls, access control and malware protection.

What is the Cyber Essentials 2022 update?

The new Cyber Essentials question set – known as Evendine – launched on January 24, 2022. It is the most significant change to the standard since it was launched. While new question sets have been released previously, there have been very few changes to the scheme requirements themselves. With the Evendine release, there are significant changes to the scope requirements and the controls that need to be applied to the devices within that scope.

The changes are designed to modernise the scheme and take into account key technology trends and infrastructure changes that have become commonplace. Trends such as a move to greater home working and Bring Your Own Device (BYOD) are now part of the scheme.

The 2022 update includes changes to Cyber Essentials relating to:

• Cloud-based services such as Software as a Service (SaaS)
• Passwords and two-factor authentication
• Device declaration and BYOD
• Thin clients
• Homeworkers
• Routers and Firewalls

It is worth noting that the Cyber Essentials standard is constantly evolving, and usually, there are annual updates to the question set. The reason behind these updates is that the threat landscape is continually evolving, too, and attacks that have been successfully thwarted in previous years may well have moved on in sophistication and delivery, ensuring success for criminals today.

Cyber Essentials 2022 – cloud services

The Evendine update introduces significant changes to what will have to be included in the scope, with the most noticeable changes being the inclusion of all cloud services. With the inception of Evendine, all cloud services will be required to be in the scope of Cyber Essentials.

• Infrasture as a Service (IaaS) – already in scope with Cyber Essentials and covers on-demand IT services such as storage and computing.
• Software as a Service (SaaS) – previously regarded as out of scope and includes on-demand software services such as cloud-hosted business apps.
• Platform as a Service (PaaS) – this was a grey area and generally needed careful consideration as to whether this service should be in scope or not, and covers development and deployment platforms in the cloud such as database management.

It is now not possible to certify either just the cloud elements of the business or servers only. The NCSC and IASME have clarified that end-user devices must be in scope as well.

The 2022 update means that:

• It is not acceptable to descope all end-user devices.
• It is not possible to descope cloud services used by your organisation.
• All devices/software/firmware in scope (including BYOD) must be supported, and all controls applied.

Cyber Essentials 2022 – passwords

There are also changes to passwords and 2-factor authentication (2FA) requirements.

From January 24, all administrative users of cloud services must have multi-factor (MFA) applied, and all standard user accounts will need MFA when certifying in 2023.

In the meantime, user accounts will need either:

• 12 character passwords, or
• 8 character password when there is a technical control to deny bad passwords.

The NCSC requirements document describes the new password controls as:

Workers must be educated on how to avoid common or discoverable passwords, such as a pet’s name, common keyboard patterns or passwords they have used elsewhere. This could include teaching people to use the password generator feature built into some password managers.

Encouraging people to choose longer passwords. This can be done by promoting the use of multiple words (a minimum of three) to create a password, (e.g., ‘Three Random Words’).

Providing usable secure storage for passwords (for example a password manager or secure locked cabinet) with clear information about how and when it can be used.

Not enforcing regular password expiry and not enforcing password complexity requirements.

There is an established process to change passwords promptly if the applicant knows or suspects the password or account has been compromised.

Cyber Essentials 2022 – declaring devices and BYOD

Servers and end-user device quantities must be declared, and a change is that the make and model of the device, as well as the operating system, must be declared. A common fault causing assessments to be sent back is that both edition and version numbers are required.

To provide the required information, we recommend that an up-to-date asset register be maintained, and this must include BYOD devices.

As tracking BYOD devices can be complex, we would suggest having a process for “on-boarding” a BYOD device so that the owner/make/model/OS can be documented whenever a staff member wishes to use their own device to connect to company data.

You should also prepare your staff for the possibility that, if they choose to use a BYOD device, the device may need to be tested during Cyber Essentials Plus auditing, which should be covered through employment contracts or internal policy. The recommendation is to cover this off with HR to ensure adequate coverage for BYOD.

All BYOD devices that access business data – including emails and cloud services – must be regarded as being in scope and must be fully declared. They must also have all the controls applied to them in the say way a corporate device would have.

If mobile devices are only being used to access a virtual desktop infrastructure (VDI) solution, this will bring the device into scope in the same way as if it could access corporate emails.

If BYOD devices are only used for voice calls, SMS text messages or as a platform to receive 2-factor authentication codes, then this does not bring them into scope.

You should assess if BYOD devices are essential to your business.

Unless you treat BYOD in the same way as corporate mobiles where all updates must be applied, a minimum 6-character pin applied (with rate limiting and lockout in place), and that the device must not be jailbroken or rooted, then you may fail Cyber Essentials and/or Cyber Essentials Plus.

Cyber Essentials 2022 – thin clients

From 2023, all thin clients will need to be in support and receive security updates. The Evendine question set will include questions around thin client use.

Home workers

There is clarification around organisations that employ home workers. If the home network uses an ISP-provided router, this is seen as being out of scope. Should the organisation provide a router for the home worker, then this will be in scope.

Homeworker computers must have the software firewall active on the device. If this is in place, then home networks are out of scope. In the interests of best practice, we suggest the public firewall profile be set to deny all incoming traffic.

Cyber Essentials 2022 – routers and firewalls

These must have a minimum of an 8 character password and either 2FA in place or limit the login to internal addresses or a select few external whitelisted IP addresses.

This will also be tested as part of Cyber Essentials Plus.

Cyber Essentials Plus

There are also some significant changes to the Cyber Essentials Plus testing and auditing process.

As a CE Plus Assessor, I have seen many organisations fail the standard due to insufficient patching of operating systems and applications. Applying security updates within the mandated 14 day period presents a challenge to some organisations, and the changes will only result in the bar being raised.

The reason behind this is that previously we were allowed to discount some vulnerabilities that required methods of attack, such as local access to the machine or tricking a user into action. Additionally, the functionality of the attack had to be proven with a reasonable level of certainty.

In the new Cyber Essentials Plus, all critical and high vulnerabilities must be remediated regardless of the attack vectors. This is a significant change, and many organisations that I have previously been able to pass would now fail under the new assessment.

A new test of all cloud services is to be introduced with initially checks that all administrator accounts have 2FA enabled. From 2023 all accounts, even standard user accounts, need to have 2FA present.

There are further tests to ensure that administrators do not work on a day-to-day basis with admin privileges, which I often find is a contentious requirement for developers. Needless to say, even for developers having admin privileges in the course of everyday work is prohibited.

For macOS/Linux devices specifically, there must be account separation between the user account (used for day-to-day work such as email/web browsing) and the administrative account of the machine. It is not compliant for a user to be a part of the “sudo” user group – there must be complete separation.

Summary

To ensure your certification journey is as smooth as possible, we suggest you select the guided process and ask for a pre-audit to avoid disappointment in being unable to meet your predicted timescale.

With more organisations requiring their suppliers to be certified to the Cyber Essentials standard, we suggest that you start your journey early, whether for renewal or the first time certification. Early advice is also key to success.