Cyber Essentials, 24th January 2022, EVENDINE…
The new year brings with it an update to the Cyber Essentials (CE) program. Not long after the April 2021 ‘Beacon’ update, Evendine is the new set of requirements for Cyber Essentials and launches on the 24th of January 2022 and represents the biggest overhaul of the technical controls since the CE launch in 2014. All new assessments started from this date will need
There is also the suggestion that the technical controls will be reviewed, and possibly changed, more regularly. The consolidation from multiple accreditation bodies down to a single accreditation body - IASME - is no doubt responsible for this more agile approach.
These 2022 changes reflect the rapid and vast changes in the way we are working during the pandemic, and as well as introducing many new requirements, some are removed and some are simplified to reflect the difficulty in assessing devices that are naturally outside of an organisation’s control - such as home routers.
The biggest change is that cloud services are now fully in scope for the first time, having been excluded from the requirements previously.
There will be a 12-month grace period for some of the more complex updates to the requirements and the certificates issued by IASME will continue to have a 12-month expiry date.
If you are confident in your answers to the questions below, then you are off to a great start, but the new requirements of Cyber Essentials are strictly adhered to by the certification bodies and the accreditation body. You’ll need to be clear and explicit in your responses covering all of the elements of each question as you go through the requirements of each control.
Incomplete or non-compliant answers will lead to your certification being unsuccessful until those points are addressed. You’ll need to be very confident, and clear, on the following points, as a minimum:
Do you have a list of all devices in the organisation? This can be part-automated using tools but often misses devices that are turned off or elsewhere. It may need to be done manually.
Do you have a list of software and firmware, sometimes called a software asset list?
Is that software/firmware in vendor support and updated?
Our software and operating systems automatically update wherever possible?
Do you have firewalls between your private networks and the internet?
Have ALL default passwords in your organisation been changed to a unique, hard to guess, password of 8 characters or more?
Do you have a process for changing passwords that you suspect or know to be compromised?
Does your company have services accessible from the internet?
Have your devices been secured ‘out-of-the-box’? Devices often have poor default configurations.
Have default and unused accounts and logins been disabled or removed?
Do your devices have autorun disabled on all devices? When you plug a USB stick in for example it must not autorun anything.
Do you have a password policy to advise your users about creating good unique passwords? Have you advised them on how to store those unique passwords?
Do your devices need a password/credential to access the device and data? Do users share those logins?
Do you have anti-virus/anti-malware software installed on all devices? Do you limit applications to an approved set/list?
Do you have a process for creating new users/logins and a process for removing them when appropriate?
How do you track and manage the creation or allocation of administration rights?
Those are a subset of the questions, and unless you can answer them quickly and honestly, you’ve got some work to do. We can help you if you need it.
You can check your readiness, and find more detail on Cyber Essentials using the IASME readiness tool: Cyber Essentials Readiness
Once CE is assessed and you gain the certification your company will be able to say you have implemented the core controls that help prevent most cyber attacks. This is a massive achievement that many businesses will not have attained.
Certification Number:
IASME-CE-034163
You can communicate to your customers and within your business that you take cyber security seriously
You can attract new business and contracts or additional funding and grants that stipulate Cyber Essentials as a prerequisite.
You’ll be listed in the directory containing CE-certified companies.
You, and your company, can feel good that you’ve made substantial effort and progress in your security aims this year, and next year will be even greater.
At 365labs we’re proud to hold the Cyber Essentials certification and if you need help getting ready for Cyber Essentials contact us for a chat.