News & Insights

Cyber Essentials – Grace Period for Technical Controls

25 November 2022Consultancy, Cyber Essentials
Cyber Essentials logo

Cyber Essentials Grace Period for Technical Controls

The National Cyber Security Council have recently announced they will be extending the date for certification against the 2022 Cyber Essentials Technical Controls.

As you will remember, we announced in January the update to Cyber Essentials and the technical requirements. These updates are required to ensure the scheme remains up to date as the threat landscape and technologies continue to evolve.

As highlighted in the blog, this update was the biggest overhaul since the scheme was introduced. Due to this, the National Cyber Security Council and IASME Consortium recognised that a number of organisations will need to implement additional services when being assessed against the revised Cyber Essentials standard.

Therefore, the initial grace period was 12 months for 3 of the key changes.

  • Thin Clients in scope must be supported and receiving security updates
  • Unsupported Software is either removed or segregated from scope via s defined sub-set
  • User Accounts on Cloud Services must be protected by MFA.

This grace period was due to come to an end in January 2023… However a recent article from National Cyber Security Council confirms that this grace period will now be extended until April 2023.

This revised date conincides with the next scheduled update to the Cyber Essentials Technical Requirements which is understood to focus on a series of claridications. It will also include vital new guidance on:

  • Clarification on firmware – All firmware is currently included in the definition of ‘software’, so must be kept up to date and supported. Due to difficulties with information provided by vendors, this is changing to just router and firewall firmware.
  • Third party devices – Further information and a new table clarifying how third-party devices such as contractor or student devices should be treated in applications.
  • Device unlocking – A change in this section to mitigate issues around some default settings in devices being unconfigurable. Where that is the case, it is acceptable for applicants to use those default settings.
  • Malware protection – Anti-malware software will no longer need to be signature based and clarification has been added around which mechanism is suitable for different types of devices. Sandboxing is being removed as an option.
  • Guidance on zero trust architecture in the context of achieving Cyber Essentials and a note on the importance of asset management.

If you’d like to understand how these changes may affect you or you’re looking to achieve Cyber Essentials, speak to a member of the team today: