Speak to an expert

01684 252 770

01684 252 770 Partner with us Resource Hub 0 Items - £0.00
Trustpilot

Cyber Essentials Evendine Update

Important changes to the Cyber Essentials scheme

Cyber Essentials is endorsed by the UK government and sets the baseline standard for cyber security.  It is subject to continual review and usually receives a minor version update once every six months. The latest question set, coined ‘Evendine’, was launched on 24th January 2022 and is the most significant update since the standard’s inception.

The most notable change is the inclusion of cloud based services within the Cyber Essentials technical controls. This change has been made in response to a steady migration away from in-house IT infrastructure, towards cloud based services.  A trend that has accelerated tremendously since the advent of COVID-19.

Changes to the scope of Cyber Essentials

The scope of the Cyber Essentials standard will be expanded to include a few areas which have previously been descoped by default. These are:

Cloud services used by the organisation (IaaS, PaaS, SaaS)

  • Any cloud service where your organisation has administrative access e.g. account creation, should now been included in your Cyber Essentials assessment.
  • Services where you have no administrative controls (such as the Pervade assessment platform) are not in scope.
  • Definitions of IaaS, PaaS, and SaaS, as well as who is responsible for each control, can be found within the Cyber Essentials Requirements for IT Infrastructure document.

‘Thin Clients’

Thin clients are now in scope. These are defined as “machines which are used to connect to a remote server (such as Citrix) to carry out work rather than being worked upon directly”.

They must be included in the devices section (A2.4.1) of the assessment, regardless of whether they are “True” thin clients or not.

Home working

Home working has not changed since the preceding scheme’s Beacon update, but to clarify:

  • BYOD devices used for business purposes are in scope
  • ISP provided routers are out of scope (meaning that the firewall controls must be applied to the software firewall on the user device)
  • Business provided routers for home workers are in scope
  • If a corporate VPN (terminating inside the office network) is enforced, full-tunnel, and always on, then the internet boundary is not the software firewall but is the company firewall.

Changes to the controls of Cyber Essentials

There have been several changes made to the five controls of Cyber Essentials witiin this update. A summary of the key differences are:

Password based authentication

The minimum requirements for passwords have changed and it is now at least 12 characters. It can be eight characters if:

  • Multi-factor authentication is also used or;
  • Automatic blocking of common passwords is in place

This is applied across the question set in various sections, such as Firewalls, Secure Configuration and User Access Control.

Device locking

Device locking is now a requirement of the Secure Configuration section (A5.10, A5.11).

Devices that require a user to be present, such as laptops and phones, must have a locking mechanism. This can include biometric authentication, password, or PIN.

Where the credentials used are solely in place to unlock the device and further authentication is required to access organisational data, a PIN of at least six characters can be used.

This control also requires at least one method of brute force protection to be in place out of the following:

  • Throttling login attempts – no more than 10 will be permitted within a five-minute period and the wait time between attempts with an increase exponentially.
  • Locking of accounts or devices – this must take place after no more than 10 unsuccessful login attempts.

Unsupported applications

Previously, the use of unsupported or legacy applications would result in two Major Non-Compliances, but could still result in a ‘Pass’ result for Cyber Essentials.

This will now result in three Major Non-Compliances and therefore a ‘Fail’ for the assessment. The exception to this rule is where unsupported software is held on devices that are on a segregated sub-set network with no internet access.

Where the scope of the assessment is not for the “Whole Organisation”, the segregated sub-set network is permitted to have internet access “where the sub-set has been removed from the scope”.

Cloud service multi-factor authentication (MFA)

The MFA requirements under the User Access Controls section have been extended to cloud services which are now in scope. 

  • all administrator accounts for cloud services are now required to have MFA in place.
  • from January 2023, all user accounts for cloud services will be required to have MFA in place. However, it is still recommended that this is applied throughout 2022.
  • MFA can be covered using one of the methods listed under “Choosing extra authentication factors” section of the following NCSC guidance, although it is important to note that the stated “using another piece of knowledge as an extra factor” option included in the guidance s not compliant with Cyber Essentials.

Here to help

Should you have any questions or concerns about these Cyber Essentials scheme changes, do not hesitate to get in touch. Our friendly team of cyber consultants will be happy to offer you pragmatic advice.

At Assure Technical, our people-first approach helps make security simple.

Keeping security
simple

Get in touch with our expert consultants for straight-talking, jargon-free technical security advice.

Get in touch Book a meeting