The National Cyber Security Centre (NCSC) is planning to update the technical controls of its Cyber Essentials scheme in the new year.
It has indicated that it will introduce an updated set of requirements on 24 January in what it described as the biggest overhaul since the scheme was launched in 2014.
This comes in response to the further evolution of cyber threats and points towards a more regular review of the technical controls in the future.
Cyber Essentials is a list of requirements, backed by the UK Government, for organisations to defend against the most common threats. Certification is intended to provide a degree of assurance that an organisation is well protected.
The IASME Consortium, the NCSC’s delivery partner for the scheme, has provided an outline of the changes which includes: bringing home working devices but not routers into scope; using multi-factor authentication for access to cloud services; applying all high and critical updates within 14 days and removing unsupported software; and following guidance on backing up important data.
Two new tests have also been added: one to confirm account separation between user and administration accounts; the other to confirm multi-factor authentication is required for access to cloud services.
Organisations using the current standard will have six months to complete the new assessment to retain their certification.
IASME said there will be a grace period of one year to allow organisations to make changes around multi-factor authentication, thin clients and security updates. It added that further guidance will soon be made available.
NCSC said the Cyber Essentials Readiness tool to help organisations prepare for certification will also be updated.
“The way we work has changed dramatically over a short period of time,” it said. “The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the Covid-19 pandemic, which is now routine for many people.
“The refresh of Cyber Essentials reflects these changes and also signals a more regular review of the scheme’s technical controls.”
Image from iStock, Temniy