The National Cyber Security Centre (NCSC) has published an update of its Cyber Essentials process in what it describes as the biggest change since the launch of the scheme in 2014.
It said this marks an overhaul in the technical control requirements, responding to the evolution of cyber threats, risks of ransomware and speed of digital transformation.
Cyber Essentials, which is delivered by the IASME consortium, provides certification for organisations that can show they have taken the appropriate steps to maintain strong cyber security. It is widely regarded as having an important role in security arrangements of public sector organisations and is a requirement for some government contracts.
NCSC said the update follows a major technical review involving a consultation with the Cloud Industry Forum and feedback from assessors and previous applicants. The main changes are revisions to good practice in the use of cloud services, home working, multi-factor authentication, password management and security updates.
Among those highlighted in an NCSC blogpost on the changes are the implementation of a shared responsibility model for cloud services, dictating the security obligations of cloud provider and user, along with five technical controls.
For multi-factor authentication there is guidance on choosing the right additional factor for an organisation, and the password requirement has been updated to include a requirement to use three random words.
There are no requirements regarding back-ups as the NCSC does not want to overload organisations in the certification process.
Changing landscape
Chris Ensor, NCSC deputy director for cyber skills and growth, said: “The landscape in which organisations are operating in cyber space is constantly changing, and this major refresh of the technical controls reflects the cyber security challenges of today.
“We’ve strengthened the Cyber Essentials scheme so that it continues to meet evolving threats and the increased risk of ransomware, and I would encourage UK businesses of any size to take part in order to protect themselves from the most common attacks.”
The update of the scheme has been accompanied by a renewed pricing structure to reflect the complex nature of assessments for some organisations.
Image from NCSC, Open Government Licence v3.0
