Cyber Essentials Changes 2022 – New Pricing Structure and Updated Technical Controls.

From 24th January 2022, Cyber Essentials will adopt a new tiered pricing structure, reflecting on an organisation’s size, and an update to the Cyber Essentials technical controls.

What is Cyber Essentials?

Cyber Essentials is a simple, but effective government and industry-endorsed cyber security certification that helps organisations of all sizes to prevent falling victim to ever-evolving cyber-attacks. The certification is also often a requirement for organisations that work on UK government contracts.

As the environment in which we all operate has changed since the Cyber Essentials certification scheme was originally introduced, seven years ago, the cost of the certification has remained the same. With the significant transformation in the work environment and the increase in complexity of threats, Cyber Essentials have reviewed their pricing and have adopted a new tiered pricing structure, based on an organisations size, or specifically employee band.

For the standard Cyber Essentials certification organisations access themselves against a defined set of security controls and a qualified assessor then verifies the information and evidence provided. The Cyber Essentials certification* assessment is currently priced at £300, and this price will remain for any micro-businesses wanting to achieve Cyber Essentials, however for any organisations that come under the small, medium or large category, there will be an increase in cost, due to the complex nature of the assessment, and the time it takes to review and provide feedback. This is the cost of the certified body to review and evaluate the measures you have in place, this is not the

The new Cyber Essentials tiered structure, which adopts the internationally recognised definition, for organisations that are micro, small, medium and large is shown in the table below:

*This is the cost of the certified body to review and evaluate the measures you have in place, not for Krome’s Cyber Essentials Plus Readiness Assessment Service.

Why are these changes occurring to Cyber Essentials?

With the work dynamic dramatically changing, especially over the last two years due to the pandemic, organisations of all sizes, have found themselves adapting to unpredictable circumstances, by implementing hybrid working, mobile communications and cloud applications. These changes have increased the threat landscape significantly, giving cybercriminals further opportunities to exploit.

The NCSC is making regular changes to ensure they keep up to date with the latest cyber security regulations and practices. A further review of Cyber Essentials is expected in January 2023.

Changes to the Cyber Essentials technical controls

With this being said, the NCSC will also introduce an updated set of requirements for the scheme. This will be the largest update of the scheme’s technical controls since the launch of Cyber Essentials in June 2014.

As the cyber security threat landscape continues to evolve, it’s essential to keep up to date with the latest security measures to prevent these attacks and updating the technical controls will ensure that the scheme stays relevant to today’s cyber threats.

Below we have summarised the changes involved in the technical controls, which mostly relate to cloud services, multi-factor authentication, password management and security updates, inline with guidance from NCSC technical experts.

• Homeworking devices are in scope, but home routers are not
• Cloud services are to be fully integrated into the scheme
• Multi-factor authentication must be used to access cloud services
• Thin client devices are in scope when connecting to an organisations information or services
• All servers, including virtual servers on a sub net, or a whole organisation assessment, are in scope
• Smart phones and tablets that connect to the organisational data and services are in scope
• Biometrics or a minimum password or pin length of 6 characters must be used to unlock a mobile device
• New guidance has been issued for password policies and use of multi-factor authentication
• Account separation, use separate accounts to perform administrative activities only
• All high and critical updates must be applied within 14 days
• Unsupported software must be removed

You can read a full explanation of the revised Cyber Essentials Technical Controls in a blog post released by Cyber Essentials Certification body IASME here.

What do these changes mean for your organisation?

For organisations that are already Cyber Essentials certified, these certifications will remain valid until the date of expiry. Upon recertification, the revised technical controls and costs will apply so it is recommended that you familiarise yourself with the new requirements with plenty of time to prepare for recertification. 

Any Cyber Essentials applications that are set to be completed on or after the new update launch date, will need to follow the new standards set. The NCSC has provided up to a year for organisations to prepare for the new controls.

Businesses that are currently having ongoing assessments before the 24th of January 2022 will continue to follow the previous technical regulations and will have until 24th July 2022 to complete these assessments using the previous technical standard.

The NSCS has created a FAQ page on this topic for more information.

Cyber Essentials Plus Certification

For organisations that want to achieve the Cyber Essentials Plus certification, where a qualified, external auditor examines against the technical controls, there will be additional testing in the form of a technical audit. The two new tests following the revisions are:

• A test to confirm account separation between user and administration accounts
• A test to confirm MFA is required for access to cloud services

How we can help you to achieve Cyber Essentials Plus

The Cyber Essentials plus certification can often be difficult and time-consuming for companies to achieve without external objective help. For clients that wish to prepare for a Cyber Essentials Plus certification, Krome offers a Cyber Essentials Plus Readiness Assessment service.

Working collaboratively with our clients, providing Cyber Security systems, compliance, policies and process assessments, we can give you a real-time analysis and gap analysis of your Cyber Security landscape to fully prepare you for your Cyber Essentials Plus Certification.

If you want to learn more about how Krome can protect your environment from cyber-attacks and help you to achieve Cyber Essentials Plus please call us on 01932 232345.