Cyber Essentials Montpellier Update Explained

On 24th April 2023 the Cyber Essentials Montpellier update was introduced. This blog provides information about the Cyber Essentials scheme and a useful summary about these changes.

The growing cyber threat

According to the Cyber Security Breaches Survey 2022 reported that 39% of UK businesses identified a cyber-attack within a 12-month period. One in 5 companies reported that a cyber attack had a detrimental impact on their business.

It’s no surprise therefore, that 80% of businesses state that their board sees cyber security as a high priority. This is reflected in the growing number of supply chains are mandating Cyber Essentials certification.

About Cyber Essentials

Cyber Essentials is a UK Government approved certification that sets the baseline standard for organisations to protect themselves from the majority of cyber attacks. A growing number of organisations have gained this certification in order to bolster their cyber defences and reassure their stakeholders that they take cyber security seriously.

There are five key controls within the standard. These are:

• Boundary firewalls – to prevent unauthorised system access
• Secure configuration – ensure that appropriate password controls are used
• Patch management – process exists to ensure company software is up to date
• Access control – ensure that users have an appropriate level of access to systems
• Malware protection – ensure appropriate anti-virus is software is in use

Organisations are awarded Cyber Essentials certification when they are able to demonstrate that they comply with the requirements of standard. It involves completing a self assessment questionnaire and certification. Cyber Essentials Plus is awarded when organisations are then audited to prove their systems are working as they should. Certification is valid for 12 months, much like a MOT for your cyber security.

The evolution of Cyber Essentials

The cyber threat landscape constantly evolves, so it is paramount that the Cyber Essentials standard is regularly reviewed to ensure that it remains relevant and effective.

IASME, the sole Accreditation Body for Cyber Essentials, released the ‘Evendine’ question set in January 2022. This represented the biggest update to the standard since it’s launch.

On 24th April 2023 the ‘Montpellier’ question set was introduced. Any assessment accounts set up on or after this date will need to adhere to the new question set.

The Cyber Essentials Montpellier update builds upon the changes established by Evendine, improving its accessibility and introducing some new elements to the Cyber Essentials Plus audit. The changes may be less significant, but they represent a necessary evolution towards stronger cybersecurity practices.

Pete Lannon, Technical Director – Assure Technical

Cyber Essentials Montpellier Update Explained

1. Updated definition of ‘software’ to clarify where firmware is in scope

The definition as been updated as follows:

Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware. 

Organisations will be required to provide the make and model of firmware devices, which will enable Certification Bodies to determine if they are still receiving security updates.

The reason for this change is that firewall and router firmware acts as the operating system of these devices – keeping them up to date is extremely important from a security perspective.

2. A greater emphasis on asset management 

Whilst asset management isn’t a specific Cyber Essentials control, establishing and maintaining authoritative and accurate asset information is recommended as a core security function.

By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.

Comprehensive guidance for organisations on asset management can be found on the NCSC website.

3. BYOD (Bring your own device) guidance 

The Cyber Essentials standard now provides further information and advice on the use of BYOD, please see the NCSC’s guidance.

4. Clarification on third party devices 

The standard requires that all end user devices that your organisation owns and that are loaned to a third party must be included in the assessment scope.  IASME has created the following table to provide clarity:

5. Updated ‘Device unlocking’ section to accommodate vendor restrictions

Sometimes, an applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements e.g. locking the mobile devices after a defined number of failed sign-in attempts. In this instance, Cyber Essentials would require that the applicant goes with the minimum number sign-in attempts allowed by the device before locking.

6. Updated ‘Malware protection’ section 

Questions have been raised about the efficacy of some of the controls to defend against malware.

Cyber Essentials now requires a malware protection mechanism to be active and kept up to date according to vendor instructions on all devices in scope. ‘Sandboxing’ is no longer an option as an anti-malware control.

At least one of the following options must be used:

Anti-malware software (option for in scope devices running Windows or MacOS including servers, desktop computers, laptop computers) 

If you use anti-malware software to protect your device it must be configured to:

• Be updated in line with vendor recommendations
• Prevent malware from running
• Prevent the execution of malicious code
• Prevent connections to malicious websites over the internet

Application allow listing (option for all in scope devices) 

Only approved applications, restricted by code signing, are allowed to execute on devices. You must:

• Actively approve such applications before deploying them to devices
• Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature

7. Zero trust architecture guidance

Network architecture is changing:

• More services move to the cloud and use of Software as a Service (SaaS) continues to grow.
• Increased flexible working has resulted in lots of different device types connecting systems from many locations
• It’s increasingly common for organisations to share data with their partners and guest users, which requires more granular access control policies.

Zero trust architecture is an approach to system design where inherent trust in the network is removed, hence designed to cope with these changing conditions. They enable an improved user experience for remote access and data sharing.

The NCSC website contains more information about zero trust architecture.

8. Cyber Essentials Plus testing changes

One of the most significant changes to the new release is that Cyber Essentials Plus Assessors are required to carry out internal credentialed patch audits. This involved scanning a sample of internally hosted servers, in addition to user workstations. This is because, in recent breaches, unsupported server operating systems or out of date software on those servers has been the root cause of compromise.

There are changes to how a Cyber Essentials Plus Assessor carries out the malware protection tests.

9. Style and language changes

The requirements document has been updated in line with plain English and accessibility guidelines.

10. Re-ordered scheme technical controls

For consistency, the scheme requirements are now in the same order as the Cyber Essentials self assessment questionnaire. This is; firewalls, secure configuration, security update management, user access controls, then malware protection.

Here to help

There is no need for you to worry about the impact these changes will have on your forthcoming Cyber Essentials certification. As the most trusted Cyber Essentials Certification Body in the UK, our team of experienced assessors will pragmatic and jargon-free support to ensure that the process is as pain free as possible.