NCSC Cyber Essentials overhaul takes effect
Changes to the scope of the government-backed cyber security certification represent the biggest change since the scheme's launch in 2014
The National Cyber Security Centre's (NCSC) planned changes to its Cyber Essentials scheme come into effect today with amendments to the certification's scope reflecting a different world of work compared to when it was first introduced.
First announced in November 2021, the latest overhaul of Cyber Essential's technical controls is the biggest set of changes the NCSC has made since the scheme's debut in 2014.
Cloud services, home working, and identity and access management have all seen numerous changes over the past eight years that have re-shaped the world of work for most UK businesses, and the new changes reflect these specifically.
The main change on the cloud services side is the NCSC's implementation of a shared responsibility model that clearly defines the security obligations of both business and cloud provider. The main takeaway from this stage is that businesses will now be expected to take a more proactive role in ensuring their cloud provider is implementing services properly and securely.
The idea of home working was viewed as an exceptional circumstance by the NCSC when Cyber Essentials was first launched in 2014 but is far more normal now due to the pandemic.
Routers issued by internet service providers (ISPs), and ensuring they're securely set up, has been taken out of the certification's scope because the NCSC believes it's not feasible for businesses to expect employees to correctly set up their routers, even if there was guidance on how to do so from the employer. Instead, a stronger focus will be placed on firewall controls being applied to all end-user devices.
The secure cloud configuration imperative
The central role of cloud security posture management
Free downloadWith the rise of multi-factor authentication (MFA) being more readily available and free in most cases, the NCSC has added guidance on how to choose the right additional factor for any given organisation and the password requirement of the certification has been updated in line with current guidance, and with reference to the NCSC's 'three random words' advice.
The pricing structure for certification is also changing for larger businesses, while small and micro companies will pay the same £300 + VAT for the base-level Cyber Essentials certification and £500 + VAT for Cyber Essentials Plus. The largest companies - those with 250 employees or more - will pay £500 + VAT for Cyber Essentials but have to apply for a bespoke quote for Cyber Essentials Plus.
Activation playbook: Deliver data that powers impactful, game-changing campaigns
Bringing together data and technology to drive better business outcomes
Free DownloadIn unpredictable times, a data strategy is key
Data processes are crucial to guide decisions and drive business growth
Free DownloadAchieving resiliency with Everything-as-a-Service (XAAS)
Transforming the enterprise IT landscape
Free Download
