IASME have recently introduced a number of changes to the Cyber Essentials question set with a view to providing clarification on certain questions to help applicants better understand the requirements for Cyber Essentials. The new streamlined questionnaire is now more suitable for the variety of post-pandemic working deployments seen today.
The changes came into effect as of April 26th, with any applicants applying on or after that date being subject to the new question set.
Below, you will find a comprehensive list of all the changes by IASME (marked in pink), along with some clarification from Cyberlab to help you understand how these changes may affect you.
1. There are new definitions for a corporate virtual private network (VPN), organisational data and organisational services. These definitions assist when applying the requirements for Bring Your Own Device (BYOD).
- A Corporate VPN is a VPN solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.
- Organisational data includes any electronic data belonging to the applicant organisation. For example, emails, office documents, database data, financial data.
- Organisational services include any software applications, Cloud applications, Cloud services, User Interactive desktops and Mobile Device management solutions owned or subscribed to by the applicant organisation. For example, Web applications, Microsoft 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.
2. An update to the Bring Your Own Device (BYOD) requirement to explain what is out of scope.
In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).
3. Clarification on when and where software firewalls are acceptable as the internet boundary.
A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol.
Alternatively, where an organisation does not control the network that a device is connected to, a host-based firewall must be configured on a device.
This works in the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rule.
4. The ‘patch management’ control has been changed to ‘security update management’.
5. An update to the security update management control. This will include automatic updates where possible and clarify the position on updates that do not include details of the level of vulnerabilities that the respective update fixes.
The Applicant must keep all its software up to date. Software must be:
- licensed and supported
- removed from devices when no longer supported
- have automatic updates enabled where possible
- updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:
- the update fixes a vulnerability with a severity the product vendor describes as ‘critical’ or ‘high risk’
- there are no details of the vulnerability severity level the update fixes provided by the vendor.
For optimum security and ease of implementation it is strongly recommended (but not mandatory) that all released updates be applied within 14 days.
*It is important that these updates are applied as soon as possible. 14 days is seen as a reasonable period to be able to implement this requirement. Any longer would constitute a serious security risk while a shorter period may not be practical.
NOTE: Some vendors release security updates for multiple issues with differing severity levels as a single update. If such an update covers any ‘critical’ or ‘high risk’ issues, then it must be installed within 14 days.
6. User access control has been expanded to include third party accounts that have access to the certifying organisation’s data and services.
The Applicant must be in control of its user accounts and the access privileges granted to each user account that has access to the organisation’s data and services. Importantly, this includes accounts that third parties use for access (for example, device management or support services).
It must also understand how user accounts authenticate and control the strength of that authentication. This means the Applicant must:
- have a user account creation and approval process
- authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)
- remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
- implement two-factor authentication, where available
- use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
- remove or disable special access privileges when no longer required (when a member of staff changes role, for example)
To discuss the changes to the Cyber Essentials question set or how you can achieve the accreditation for your organisation please contact one of our team on 0333 050 8120