As you may have heard, there was recently a change in the requirements for Cyber Essentials (CE) and Cyber Essentials PLUS (CE+) on the 24th of January 2022.
This has been described as the “biggest overhaul of the scheme’s technical controls since its launch”. These changes were implemented to reflect modern businesses and their environments more accurately. Please note that if you were registered for CE or CE+ before the 24th, you will still have 6 months to complete the assessment under the previous framework.
The main difference between Cyber Essentials and Cyber Essentials Plus remains that Cyber Essentials is a self-assessed questionnaire, and Cyber Essentials Plus is an audited version of this, but some additional controls within these frameworks have been introduced.
The primary change for Cyber Essentials and Cyber Essentials Plus is that Cloud Services are now to be included in the scopes. This also requires suitable Multi Factor Authentication to be enforced. Alongside this, there are some more specific definitions regarding Home/Remote working as well as bring your own device (BYOD). This may affect what is in-scope for your business and we encourage you to check these as they may have changed from the previous Cyber Essentials framework.
Additionally, the CE+ requirements now dictate that all Critical and High-Risk patches (as per CVSS v3) must be addressed. Previously, there were allowances based on the CVSS v3 vector of these identified vulnerabilities, but these are no longer present.
The main changes to the framework are:
- All Cloud Services are now in scope
- Multi Factor Authentication (MFA) requirement for Cloud Services
- Updated scoping requirements and a scoping diagram
- Home/Remote working requirements are more specifically defined
- BYOD requirements are more specifically defined
We can help you with any questions or queries you have around Cyber Essentials or Cyber Essentials Plus, feel free to contact us
Written by Justin Tija