Small Businesses approaching Cyber Essentials as a renewal, or for the first time should be aware of new requirements relating to the certification.
This year, the changes to the scheme are as follows:
The definition of ‘software’ has been updated to clarify where firmware is in scope
Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall, and router firmware.
Firewall and router firmware is the operating system of those devices. As firewalls and routers are key security devices, their operating systems and whether they are kept up to date are extremely important from a security perspective.
Cyber Essentials will require that all applicants list their laptops, desktops, servers, computers, tablets, and mobile phones, with details of the make and operating system. However, when it comes to firewalls and routers, the applicant will only be asked to list make and model, but not the specific version of the firmware. By asking for the make and model on these devices, the assessor will be able to determine if the devices is still receiving security updates to the firmware.
Asset management is important in Cyber Essentials
In a similar vein to backing up data, asset management isn’t a specific Cyber Essentials control, but it is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.
The requirements clarify that asset management doesn’t mean making lists or databases that are never used, it means creating, establishing, and maintaining authoritative and accurate information about your assets that enables efficient decision-making when you need it.
Clarification on including third-party devices
All end-user devices that your organisation owns and that are loaned to a third party must be included in the assessment scope. A new table gives clarity on which third-party devices are in scope for Cyber Essentials. It aims to answer frequent questions about consultants, volunteers, and third parties. When the third-party device has a green tick, it is in scope and the applicant organisation needs to demonstrate that they can apply the required controls via a combination of technical and written policy. For example, if an in-scope third-party BYOD connects to an organisational Office 365, the organisation can create a conditional access policy that says if the device doesn’t have a supported operating system, it won’t connect until the operating system is updated.
This section has been updated to reflect that some configuration can’t be altered because of vendor restrictions. Sometimes, an applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements. One example of this is locking the device after 10 failed sign in attempts. Samsung, the largest provider of smartphones in the world, has set its minimum sign-in attempts at 15, with no option to alter this number. So, in this instance, Cyber Essentials would require that the applicant goes with the minimum number sign in attempts allowed by the device before locking.
An updated ‘Malware protection’ section
You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below. In most modern products these options are built into the software supplied. Alternatively, you can purchase products from a third-party provider. In all cases, the software must be active, kept up to date in accordance with the vendors' instructions, and configured to work. If you use anti-malware software to protect your device, it must be configured to:
Be updated in line with vendor recommendations
Prevent malware from running
Prevent the execution of malicious code
Prevent connections to malicious websites over the internet
Application allow listing (option for all in scope devices)
Home routers no longer being in scope. This means that any firewall controls will be transferred to the individual’s device. The only exception to this change is if the home worker’s router is supplied by their organisation, in which case it must have Cyber Essentials controls applied to it. The impact of this is to ensure that user devices have a satisfactory level of protection in place. So, ensuring that solutions such as antivirus are up to date is imperative.
For more about Cyber Essentials changes and implementing new security measures, please contact your FOS.net account manager