Cyber Essentials Update April 2023: A Summary

In just two months (April 2023), there will be a Cyber Essentials update to the scheme’s technical requirements. Although the changes are nowhere near as big as last year, we thought we’d share what we know.

What is Cyber Essentials?

As an IT Security standard, the UK government’s Cyber Essentials scheme is designed to help businesses protect themselves against the most common cyber threats and is regularly updated with new guidance and best practices.

There are two levels of Cyber Essentials certification:

  • Cyber Essentials: This level covers the basic cybersecurity measures that organisations should implement to protect against common cyber threats.
  • Cyber Essentials Plus: This level includes more rigorous testing and verification of the cybersecurity measures to achieve the Cyber Essentials certification, which many of our clients hold.

The scheme focuses on five key areas of cybersecurity, including:

  • Boundary firewalls and internet gateways
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management

By obtaining Cyber Essentials certification, businesses can demonstrate to their clients, suppliers, and stakeholders that they take cybersecurity seriously and have implemented effective cybersecurity measures to protect against cyber threats.

What will the Cyber Essentials 2023 Update Include?

The Cyber Essentials 2023 update has been described by the NCSC and its Cyber Essentials delivery partner IASME as a “much lighter touch” compared to last year’s major update. April 2023 will bring several clarifications as well as new guidance, as follows:

  • User devices. All user devices covered by the certification, aside from network equipment like firewalls and routers, just need to have the make and operating system listed. This removes the need for the applicant to list the model of each device. If you’re familiar with Cyber Essentials, you’ll notice this change within the self-assessment question set rather than the requirements document.
  • Malware protection. It’s no longer necessary for anti-malware software to be signature-based. Cyber Essentials have also made it clear what the various mechanisms are for different device types. Sandboxing has been removed as an option altogether.
  • Thirdparty devices. Further information exists (with a new table) on how third-party devices, such as those belonging to contractors or pupils, should be handled.
  • New guidancehas been issued on zero trust architecture for achieving Cyber Essentials certification and there’s an extra note on the importance of asset management.
  • Interpretation of Since all firmware is currently considered ‘software,’ it must be supported and kept up to date. This has been modified to only include router and firewall firmware following feedback that this information can be difficult to find.
  • Device unlocking. Changes have been made to address concerns with unconfigurable default device settings (for example, where a number of unsuccessful login attempts have been made before a device is locked). In this type of scenario, the NCSC advises that applicants may now make use of the default settings.
  • Structure updated. Firewalls, secure configuration, security update management, user access controls, and malware protection are now listed in the same order as the question set for consistency’s sake.
  • Style and language. You may notice that the guidance is a little easier to read and understand in places – again, the changes have been made following feedback.
  • Cyber Essentials Plus There have been a couple of updates to the CE+ Test Specification Document. The most noticeable change is to the Malware Protection tests that are designed to make the process easier for applicants and assessors.

When will the 2023 Cyber Essentials Update Happen?

This latest Cyber Essentials update will come into effect from 24 April 2023. This means that if you start your Cyber Essentials application on or after this date, you will follow the new question set and requirements.

If your organisation collects, stores, and uses customer or employee information on a website or computerised system, or if you simply want to step up your company’s security to prevent serious effects from cyberattacks, Agile Technical Solutions strongly recommends becoming Cyber Essentials certified.

We can provide complete support and certification services for both Cyber Essentials and Cyber Essentials PLUS. So please reach out to us on 01206 700930 for support and advice.