Cyber Essentials Set for Major Changes in 2022

The UK government’s best practice cybersecurity framework is set to undergo the “biggest overhaul” of its technical controls since it was introduced in 2014, the National Cyber Security Centre (NCSC) has warned.

Cyber Essentials offers a simple set of steps that organizations can sign-up to and be certified against to prevent the most common cyber-threats. It’s available in a basic self-assessment version and a Cyber Essentials Plus scheme requiring hands-on technical verification by a third-party.

It covers areas such as firewalls, secure configuration, access controls and malware protection.

The new version of the program’s technical requirements will be officially released on January 24 2022.

“Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected. Organizations using the current standard will have six months from January 24 to complete the assessment,” the NCSC said.

“All Cyber Essentials applications starting on or after January 24 will use the updated version of requirements. We recognize that some organizations may need to make extra efforts when assessed against the new standards, so there will be a grace period of up to 12 months for some of the requirements.”

After consultation with assessors, applicants and the Cloud Industry Forum, the changes were brought in and are deemed essential to ensuring the program remains relevant amidst a fast-moving technology and threat landscape.

It also signals a more regular review process for the controls in the future, the NCSC claimed.

Among the new requirements are updates in areas such as home working, cloud services, BYOD, think clients and multi-factor authentication.

There’s also a new FAQs page and a technical blog from delivery partner IASME for further information