As of January 24th, IASME released their new Evendine question set which provides the biggest number of changes to the Cyber Essentials questionnaire yet. With that, we wished to provide our clients with information regarding the changes and what to expect going forward when your own certification is up for renewal.
Here is a high-level overview of the changes made:
Anyone working from home for any amount of time is classified as a ‘home worker’.
Home worker devices that access organisational information, whether owned by the organisation or by the home worker themselves, are in scope for Cyber Essentials and must have the Cyber Essentials controls applied to them.
Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls are now transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, if a router is supplied by the applicant company, that is in scope and must have the Cyber Essentials controls applied to it, as described within the questionnaire.
If an organisation makes use of a corporate Virtual Private Network (VPN) for home workers, this transfers the scope boundary to the corporate firewall or virtual cloud firewall instead.
All cloud services are now integrated into the Cyber Essentials scheme. If your organisations data is hosted on cloud services (i.e. Amazon AWS, Microsoft Azure, Office 365), then your organisation is responsible for ensuring that all the relevant controls are implemented according to the Cyber Essentials scheme.
Definitions of different cloud services have now been included on the questionnaire, including; Infrastructure as a Service, Platform as a Service and Software as a Service. The implementation of the relevant Cyber Essentials controls will fall on either the cloud service provider or the user, depending on the type of cloud service.
Passwords and Multi Factor Authentication
It is now a requirement that multifactor authentication (MFA) must be used for all administrative accounts for any cloud services used by your organisation.
This helps to provide extra protection to your administrative accounts which will have access to a large amount of information and configuration settings of your cloud services.
Passwords used for multi-factor authentication must have a length of at least 8 characters and have no maximum length restrictions.
For all other standard user accounts used for cloud services, these are currently not required to have MFA enabled. However, it will be a requirement marked for compliance from January 2023.
Any services or devices that do not support the use of MFA, must ensure that they have a minimum password length of at least 12 characters, with no maximum length restrictions.
Thin clients are now in scope when they connect to organisation networks, information and/or services. As such, they must be listed on the Cyber Essentials questionnaire and from January 2023, they will also need to be supported and receiving security updates with this being a requirement that will be marked for compliance.
Mobile Devices and Tablets
All mobile devices and tablets that access any organisational data (documents, emails etc) and/or services, is in scope and must be listed in the Cyber Essentials questionnaire. This includes devices that connect to a corporate network or through mobile internet such as 4G and 5G.
When using a mobile device or tablet, biometrics or a minimum password/pin length of 6 character must be used to unlock the device.
Separation of accounts must be implemented to ensure that no day-to-day activities (web browsing, emailing) are performed on administrative user accounts and vice versa to help reduce the chance of avoidable risks.
High and Critical Updates
All operating systems and software installed on devices that are in scope must have security updates installed within 14 days of release, and must comply to the following:
- Be licensed and actively supported
- When deprecated or out of support, be removed from all in-scope devices, or taken out of scope by blocking all traffic to/from the internet.
- Have automatic updates enabled (where possible)
- Ensure the software is updated, including applying manual configuration or checks for updates where required to ensure updates are installed.
Changes to Cyber Essentials Plus
To reflect the changes made in the Cyber Essentials scheme, there have also been two additional tests added to the Cyber Essentials Plus scheme, which are detailed below:
Additional Test 1 – Account Seperation
This test will confirm that account separation is in place for user and administrative accounts on each device tested during the Cyber Essentials Plus audit.
Assessors will attempt to perform an administrative action on the device, with the goal to have a user account prompt appear, asking for administrative account details to be inputted, confirming that the user is running on a standard account.
Additional Test 2 – Multifactor Authentication
The second additional test will confirm whether MFA has been enabled for cloud service accounts. The assessor will ask the applicant to input the administrative details for any cloud services they use, and will observe to see if a MFA prompt appears when attempting to sign in, confirming that MFA is enabled and working as intended.