Photo of Nicky Whiting

Nicky Whiting

Head of Consultancy Division

20th December 2021

First launched in 2014, the Government-backed Cyber Essentials certification scheme has been a key security tool for businesses of all sizes to uphold a basic level of cyber resilience. However, the National cybersecurity Center (NCSC) has announced that the certification will have had a major update around its technical controls as of the 24th January 2022.

The purpose of the changes is to ensure the certification keeps up with the ever-evolving threat landscape that surrounds businesses and their cybersecurity. Especially considering the impact of the sudden shift to remote working and cloud services over the past couple of years.

So what does the update mean for your business? Whether you’re certifying for the first time or renewing, we’ve compiled everything you need to know.

What’s involved in a Cyber Essentials assessment?

The Cyber Essentials scheme has two levels for certification: Cyber Essentials and Cyber Essentials Plus.

Cyber Essentials

The first level of certification involves your business completing a self-assessment form regarding its current security policies, software updates and measures surrounding security best practices. It’s common practice to work with a certification body to help achieve certification first-time. Support is available from our certified Cyber Essential Assessors within your Defense.com package. Our team can review your answers and provide additional support ahead of submitting your assessment to the Cyber Essentials accreditation body, IASME.

Cyber Essentials Plus

The Plus certification is a more advanced assessment of your security. You must have completed the first basic Cyber Essentials certification within the 90 days prior to applying for the Plus. Extra controls within the Plus certification include vulnerability scanning and a workstation assessment, as well as remediation of any uncovered security risks. It will also require an assessor to conduct the audits and authenticate that controls are in place, rather than a self-assessment as per the basic certification.

What’s different for the updated Cyber Essentials?

The last couple of years has significantly impacted the way businesses operate, with hybrid working policies and digital transformations. Due to this, the NCSC and IASME saw a need to update the Cyber Essentials scheme in order to reflect and protect against the subsequent increased cybersecurity threats.

The updates to the scheme will primarily cover increased use of cloud services, bring your own device working (BYOD), as well as best practice measures such as password management, multi-factor authentication and guidance around backing up your data.

Key updates include:

  • Questions have been updated with explanations and further details needed from you.
  • Cloud services are now included in the scope of both basic and plus certifications.
  • Some parts of the scheme are an advisory for the next 12 months, for instance using MFA on all cloud services. If you haven’t implemented this by your renewal in 2023, the advisory turns into a fail.
  • Cyber Essentials Plus now involves a MFA test and local admin rights check on each workstation tested. There may also be more workstations used for testing.

Key dates your business should know about the Cyber Essentials changes

  • 24th January 2022: The updates for Cyber Essentials and Cyber Essentials Plus come into effect.

  • 24th July 2022: Businesses have 6 months from the above date to complete their Cyber Essentials assessments against the current standard if it has already been scheduled. Businesses who are already certified will remain so until they need to renew, therefore you should familiarise yourself with the new updates if your renewal is upcoming.

  • January 2023: There will be further updates announced about changes proposed for Cyber Essentials and Cyber Essentials Plus.

Price changes for the scheme

The NCSC and IASME also announced a new tier-based pricing structure for Cyber Essentials, which will also comes into effect from 24th January 2022.

The tiered pricing is based around internationally recognized definitions of business size, and is as follows:

Organization Type Pricing
Micro organizations (0-9 employees) £300 +VAT
Small organizations (10-49 employees) £400 +VAT
Medium organizations (50-249 employees) £450 +VAT
Large organizations (250+ employees) £500 +VAT

Summary

The Cyber Essentials scheme is an important stepping stone to securing your business against a range of cyber threats. It’s low-cost, easy to conduct, and protects you against common hacking attempts.

The changes to the scheme will further strengthen businesses cyber resilience as the NCSC has recognized the impact of evolving working practices on the threat landscape. These changes are more in-depth and so your business gains a greater peace of mind over their cybersecurity, and customers can hold more value to your certification.

To find out more about a Cyber Essentials certification for your business, information on the scheme’s updates, or the required assessments involved, simply get in touch.

Affordable SMB cybersecurity with Defense.com

Try all these security quick wins and more with Defense.com™. Start a free trial today!