Cyber Essentials Scheme Set for April 2023 Update

Written by

The UK’s popular Cyber Essentials scheme is set to get a refresh in April next year, with new guidance in a range of areas designed to clarify requirements and ensure they align with the current technology landscape.

Cyber Essentials offers a relatively simple set of steps that organizations can be certified against to prevent the most common cyber-threats. While the basic version requires only self-assessment, a Cyber Essentials Plus scheme demands hands-on technical verification by an accredited third party.

The scheme’s technical controls received a major update in January 2022. However, the April 2023 refresh will offer more clarity in certain areas, according to the National Cyber Security Centre (NCSC). These include:

  • Firmware – only router and firewall firmware will need to be kept up to date and supported
  • Third-party devices – there will be more guidance on how external devices such as those owned by contractors or students should be treated
  • Device unlock – where devices are unconfigurable, it will be acceptable for applicants to use default settings
  • Malware protection – anti-malware will no longer need to be signature based and there will be guidance on which types are suitable for different devices
  • Zero trust – there will be more guidance on how to deliver this in the context of Cyber Essentials and asset management

The requirements will be listed in full in January 2023, ahead of the go-live in April, the NCSC said.

The agency also announced an extension to the grace period for complying with several updated technical controls published in January 2022.

Originally, this period was set to last for 12 months to January 2023. However, the NCSC is extending it to April 2023, to coincide with the launch of the new clarifications.

The three relevant controls are:

  • All thin-clients in scope must be supported and receiving security updates
  • All unsupported software must be removed or segregated from scope via a sub-set
  • All cloud-based user accounts must be protected by multi-factor authentication (MFA)

What’s hot on Infosecurity Magazine?