Cyber Essentials is changing. You might have heard that one before! In April 2020 the scheme went through a massive change. The NCSC (National Cyber Security Centre) made the decision to switch to a single accreditation body (IASME) rather than five, and a new question set was released. Since then, the scheme has gone through one small revision in April 2021 known as Beacon. From January 24th 2022 a major change to Cyber Essentials is coming and any Cyber Essentials Self-Assessment certifications started after this date will be assessed under the brand-new scheme update, known as Evendine.
In previous updates there have been very few changes to the scheme requirements themselves, however, with Evendine there have been wholesale changes made that changes the scope of Cyber Essentials and the controls that need to be applied to devices within that scope.
The new "Requirements for IT Infrastructure v3" document can be found on the NCSC's website:
The new "Cyber Essentials Evendine" offline question set can be found on IASME’s website:
IASME has released a summary blog that goes over the changes at a high level:
NOTE: It is vital to the success of Cyber Essentials Certification applications after January 24th 2022 that you read, understand, and implement the changes detailed in the “Requirements for IT Infrastructure v3” document, and are prepared to answer and attest your compliance by answering the Evendine Self-Assessment questions.
There have also been changes made to the Cyber Essentials Plus Certifications, with two additional tests added to the auditing methodology and changes made to what constitutes a passing mark. These are detailed in the Cyber Essentials Plus section of this post.
To try and help the transition process between Beacon and Evendine, we have created this document which we hope can help you better understand some of the changes to the scheme, highlight some of the key areas we notice applicants often fail on, with some advice on preparing for success throughout. Every organisation will have their own individual challenges, and importantly this document should not be considered a full and comprehensive guide to passing Cyber Essentials, rather provides additional guidance based on our wealth of experience.
Included in the Evendine updates is a new scoping diagram illustrating what is and is not in scope for Cyber Essentials. This differs from previous versions of the diagram, with the most obvious change being the inclusion of PaaS/SaaS (Platform-as-a-Service/Software-as-a-Service) within scope. There is also an explicit statement that "A scope that does not include end-user devices is not acceptable", making it clear that we are unable to certify cloud services only. If you are struggling to understand the scope of Cyber Essentials, this diagram may prove useful.
Where possible, we are more than happy to arrange a "scoping call" before your assessment to validate the scope is accurate before progressing with your assessment/renewal. Please speak to your account manager at Sec-1, Part of Claranet Cyber Security (referred to as Claranet Cyber Security herein) to arrange this.
Boundary of Scope Diagram (from the NCSC's Requirements for IT Infrastructure document)
It is always advised to include your entire organisation in scope of your Cyber Essentials application. However, in the real world, this isn't always possible to do, so we wanted to add a section to clarify what options are available if you have software/devices that are not compliant with the scheme and how these should be declared (if at all). Having a crystal-clear scope is essential in understanding where the schemes controls must be applied.
The new scheme requirements make it a little clearer as to what the procedure is for de-scoping non-compliant devices/software. The term "sub-set" has been added to the scheme definitions and is defined by IASME as "a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.". You can use a sub-set to decide what is included or excluded from scope. If your organisation has a requirement to continue using legacy systems or software, then in all circumstances these must be moved onto their own sub-set to allow them to be removed from the Cyber Essentials scope. Where sub-sets are used, “Whole Organisation” certification can only be achieved if the sub-set(s) is(are) completely blocked from accessing the internet.
Below are a couple of rules of thumb to keep you right:
- If descoped devices need to connect to the internet (for example, a legacy server that needs to be accessible to customers over the internet, or the device needs to download software updates) then you must ensure that these devices are placed on their own network (separated from the in-scope network by either firewall or VLAN), i.e. sub-set, so there is at least 1 extra "hop" between the internet and the subset, i.e. a firewall between the network subnet and the internet. The devices in the out-of-scope sub-set must not be able to connect in-scope devices, with blocking conducted at the network layer. In this instance, you will not be able to achieve "Whole Organisation" certification and instead will need to explicitly exclude this "sub-set" from scope in A2.2 with the scope description: "Whole Organisation Excluding INSERT SUBSET NETWORK NAME".
- If the sub-set network does not need inbound or outbound internet connectivity, for example, a development network where software is tested on legacy systems (that would normally be noncompliant with Cyber Essentials), then these servers/software can be placed on their own VLAN (or placed on their own network by firewall). As there is no inbound or outbound internet access from this sub-set (blocked at the network layer) you can achieve "Whole Organisation" certification, and do not need to declare these devices anywhere in the application. Importantly, devices on the in-scope network can still contact these out-of-scope devices. The key thing is that the subnet containing legacy/unsupported software/servers has all inbound and outbound internet connectivity blocked at a network layer. Software firewalls cannot be used to remove a legacy server out of scope, so you should consider what impact that may have on your organisation.
Other Important Notes:
- It is not acceptable to descope all end-user devices
- It is not possible to descope cloud services used by your organisation
- All devices/software/firmware in scope (including BYOD) must be supported and all controls applied.
This is the biggest change to the scheme and will require your organisation to review your cloud services ensuring you meet these Evendine updates before applying for Cyber Essentials Self-Assessment or having a Cyber Essentials Plus Certification conducted.
Where previously only IaaS (Infrastructure as a service) was considered in-scope for Cyber Essentials, with Evendine, PaaS (Platform as a service) and SaaS (Software as a service) are now included and need to have all scheme controls applied, either by your organisation where possible and if not, by the cloud provider.
The NCSC's description of cloud services can be found in the most recent “Requirements for IT Infrastructure v3” document, but for clarity, we have included them here:
Infrastructure as a Service (IaaS) - the cloud provider delivers virtual servers and network equipment that are configured and managed by the applicant, much like physical equipment would be. Examples of IaaS include Rackspace, Google Compute Engine, and Amazon EC2.
Platform as a Service (PaaS) - the cloud provider delivers and manages the underlying infrastructure, and the applicant provides and manages the applications. Examples of PaaS include Azure Web Apps and Amazon Web Services Lambda.
Software as a Service (SaaS) - the cloud provider delivers applications to the applicant, and the applicant configures the services. The applicant must still take time to ensure the service is configured securely. Examples of SaaS include Microsoft 365, Dropbox, Gmail.
The “Requirements for IT Infrastructure v3” document makes it clear that the responsibility for ensuring the scheme's requirements are applied to cloud services rests with you, the applicant, no assumptions can be made as to who is responsible for each control theme, and it is important to understand that cloud services are not secure "out of the box". Whilst organisations may only be responsible for the configuration of some elements of the five key control themes laid out in Cyber Essentials, for those themes that you cannot control (as an example, malware protection on PaaS and SaaS applications is normally provided by the cloud provider) you will need to look at the terms and conditions of your agreement with the cloud provider and confirm in their security and privacy statements/Trust Centre documentation that the cloud provider themselves are adequately applying those controls to the service. This is no small task and might be difficult to confirm requiring you to contact the respective vendors to gain more information so you can be sure you are compliant.
In regard to user/admin accounts for cloud services, this is covered in the "Requirements for IT Infrastructure" document and is summarised in the "Password-Based Authentication" section of this document, but in short, all administrative users of cloud services must have MFA applied as of January 24th 2022, and all standard user accounts will need MFA when certifying in 2023, in the meantime, user accounts will need either:
- 12 character passwords, or
- 8 character password when there is a technical control to deny bad passwords.
Please be sure to read the “Requirements for IT Infrastructure v3” document in full as this is only a summary and there are other changes you need to understand.
Steps we suggest you take in preparation:
- Identify ALL cloud services your organisation uses across ALL departments
- List them out as either IaaS, PaaS, or SaaS (you will be required to do this on your scoping document and on your Self-Assessment)
- For each cloud service, refer to the table below
- If the table says "applicant" only, your organisation will need to ensure the adequate configuration is in place on the cloud service
- If the table says "both applicant and cloud provider" you must ensure the elements in your control are configured, and the elements outside of your control are being handled by the cloud provider
- If the table says, "cloud provider", you will not be expected to implement the controls yourself but will need to seek assurance that the cloud provider is meeting this control
- If you are unable to get sufficient information from the cloud provider’s website, contact them directly to confirm. Ask what certifications they hold as it may prove useful in demonstrating certain controls are being met (i.e. ISO27001, PCI DSS, etc)
- Confirm that MFA is available on the cloud service (for admin and user accounts)
- Document this information so that it is easily accessible when you come to certify
Both applicant and cloud provider
Cloud provider and sometimes also the applicant
Both applicant and cloud provider
Both applicant and cloud provider
Both applicant and cloud provider
User Access Control
Both applicant and cloud provider
Cloud provider and sometimes also the applicant
Security Update Management
Both applicant and cloud provider
Both applicant and cloud provider
1.4. Declaring Devices – Model of hardware is now required
When declaring the quantities of devices (including servers and end-user devices) in use within your business, you will now be expected to list both the model of hardware and Operating System (OS) on all devices that are within the scope of the assessment, and specifically for Windows 10, you MUST include the OS Edition/Feature.
Note: In previous years we did not require the model of a device, but the NCSC/IASME have insisted that this must be included to pass Self-Assessment as there have been cases of Windows 10 devices being installed on 10-year-old laptops going through certification that will not have received firmware updates in many years. Where possible, the assessor will confirm the model is supported, however, if it isn't possible to find it online, the burden of proof will be with you, the applicant, to provide evidence that the device is still in support.
Your organisation will need to ensure that you are keeping an up-to-date asset register of all devices in use at your organisation (importantly - this includes BYOD mobiles/laptops/desktops), so that when you come to certify you have this model of hardware models/OS information to hand. A well-kept asset register will help you keep track of your devices throughout the year and ensure all devices are running supported hardware/software and will make your Cyber Essentials certification much easier. There is also agent-based software that can report centrally the status of devices at your organisation which may help this process.
As tracking BYOD devices can be difficult, we would suggest having a process for "on-boarding" a BYOD device so that the owner/make/model/OS can be documented whenever a staff member wishes to use their own device to connect to company data. You should also prepare your staff for the possibility that, if they choose to use a BYOD device, the device may need to be tested during Cyber Essentials Plus auditing which should be covered through employment contracts or internal policy. The recommendation is to cover this off with HR to ensure adequate coverage for BYOD.
An example of how to declare devices would be:
- 20 x “HP Envy” Desktop running Windows 10 Enterprise 20H2
- 10 x Macbook Pro 2021 running MacOS Catalina
The portal will allow you to upload a CSV file, however you will need to ensure this file contains all the relevant information required before upload.
Do you use thin clients? From 2023, these will need to be supported and be receiving regular security updates (previously it was possible to pass with two major non-compliance), so we suggest taking a full inventory of your thin clients and assess the EOL dates for both OS and firmware to plan for 2023 to help ensure compliance in 2023 is maintained, and ensure all upgrades are completed before your Self-Assessment renewal in 2023.
A thin client is a device, normally with limited functionality, that is used to connect to VDI (Virtual Desktop Infrastructure) but does not normally store any organisation data.
The questionnaire now includes specific questions surrounding Thin Clients, whereas previously these would be grouped under the Devices question.
BYOD - do you really need it? During the first few months of the pandemic, many organisations were scrambling to find solutions to keep the business operating and BYOD became a necessity for most organisations who didn’t have enough equipment to support an entire workforce working from home. BYOD is in scope for Cyber Essentials and must have all controls applied the same as a corporate device. This includes laptops, desktops, mobile devices and tablets if they connect to company data (including cloud services).
This means that you must have a compliant BYOD policy provided to staff and backed up by training to help them understand what is required of their device/configuration so that your organisation remain compliant with the scheme. The use of a Mobile Device Management (MDM) platform can help enforce some of these controls or provide oversight of BYOD devices’ compliance, however it is not a requirement to use an MDM so long as good training and policy are used.
If using a MDM, you will likely need to use Conditional Access policies or have a rigorous process for manually blocking devices that fall out of compliance quickly when identified. In either case, you will need to keep an inventory of every BYOD device that is connecting to your data so you can declare them sufficiently on your Self-Assessment. We would advise, where BYOD isn't a critical requirement for your business, use corporate devices that you have full control over instead as this is much simpler to keep compliant.
To be clear (as there has been some confusion in the past), even if a BYOD device is connecting to a VDI solution where no data can be transferred between the devices, that does not mean the BYOD device out of scope. Furthermore, a BYOD device that connects to any cloud service, including O365 or Gsuite for example, would bring the connecting device into scope of your assessment.
Many organisations allow BYOD mobiles and we have seen compliant ways of making this work. In most cases, a combination of a well configured MDM with conditional access policies backed up with a BYOD policy that states the device must (among other things detailed in the “Requirements for IT Infrastructure v3” document) have a supported and up to date OS (within 14 days of new patches), applications/OS set to automatic update (at a minimum, business applications used to connect to company data must be up to date, such as Outlook or web browsers used to connect to cloud services. This does not apply to corporate mobiles where all updates must be applied), a minimum 6-character pin applied (with rate limiting/lockout in place), and that the device must not be jailbroken/rooted or allow applications to be installed from untrusted sources (i.e. unsigned applications downloaded from the browser, rather than the Appstore/Playstore).
An important note: If staff are only using their BYOD mobile device for either text messaging (i.e SMS), calls or to use an MFA application, this does not bring their mobile device into scope and you do not need to declare this on your Self-Assessment . If the device is used to connect to either on-premise servers or cloud services (including O365), then this will bring the device into scope and therefore must be declared on your Self-Assessment.
BYOD Laptops/Desktops are considerably more challenging than BYOD mobile devices. If you allow BYOD laptops/desktops to access company data then these fall into scope the exact same as a corporate device. There is no circumstance that BYOD can be excluded from scope, and all requirements of the scheme must be applied to these devices. This means all software must be licenced and supported, AV installed, all software set to automatic update and patched within 14 days (including personal software not used for work purposes), minimum password length of 12 characters, etc. - literally all controls. From our experience, organisations tend to fail Cyber Essentials Plus when BYOD laptops/desktops are in use.
During your Self-Assessment, you will also be required to list the Make/Model/OS Version of BYOD devices, along with some information about what is installed on those devices (such as Office software, Browsers, Email Clients, AV) and ensure it is all supported/up to date/scheme compliant. So, whenever a user wants to use BYOD, you will need to have a process in place to capture this information, otherwise you must advise staff they cannot connect to company data using BYOD.
On this basis, we suggest you ask yourself whether BYOD devices (especially laptops/desktops) are necessary for your business and if so, you will need to work hard to use them compliantly. A sample of these devices will need to be tested during a Cyber Essentials Plus audit.
Through the pandemic there has been a massive uptake on home working and many industries see this as becoming a normal working practice for many workers. The new scheme requirements make it clear that ISP provided home routers are out of scope of your assessment, and that corporate/BYOD devices in the home environment or other untrusted networks must be protected by a properly configured software firewall that blocks all incoming traffic from the untrusted network. On that basis, we suggest auditing all devices (including BYOD) used remotely such as within home environments, cafes, airports etc ensuring they have a “public” firewall profile set to block all inbound connections ahead of your audit, and that these network locations are defined as “Public” locations. This will be checked during a Cyber Essentials Plus audit.
During your Self-Assessment you will not be required to list home networks or ISP provided routers, unless your organisation provides the staff member with a corporate owned router.
A home worker is now defined as "Any employee contracted or legally required to work at home for any period at the time of the assessment". "Legally required to work at home" will obviously apply if, due to the on-going pandemic, there are future lockdowns that prevent staff going into the office to work.
There have been changes made to the password-based authentication controls required by the scheme and it is important to ensure that, before renewal, you are compliant with these changes.
All routers/firewalls administrative portals must either have MFA enabled with a minimum 8-character password applied, or be made only accessible from the LAN, or have internet-based access limited to a small set of IP addresses (for example when you have an MSP who configures these devices on your behalf). If none of these protections are in place, this would be considered a failure for Cyber Essentials.
We suggest doing an inventory of all routers/firewalls used at your organisation (including those managed by third parties) to ensure these controls are met before your certification begins. This will be tested as part of Cyber Essentials Plus.
On previous iterations of the scheme there was a requirement for devices (such as mobiles/tablets or laptops using Windows Hello) that make use of a PIN to unlock the device to have 8-character passwords. This has changed with the new scheme requirements by way of a new "Device Unlocking" section added to account for these devices. There are two questions in the Self-Assessment that address the requirements.
The first requirement is that a PIN with a minimum of 6 characters must be applied to the device, enforced within the device settings, MDM policies (if available) and good staff training/policy. The use of a PIN with a length of at least 6 characters can only be used where the credential is used solely to unlock a single device and does not provide access to organisational data and services without further authentication (i.e. a Windows laptop would require a user to login with their user account that has a password that meets the new password requirements, but a Windows Hello pin can be set to allow the user to lock/unlock that device when they are away from keyboard, see 1.11 of this document). This also applies to BYOD devices, so be sure that your BYOD policy reflects this as it may be checked during a Cyber Essentials Plus audit, along with the configuration of a sample of devices and your MDM policies (if an MDM solution is in use).
The second requirement is that the device must be configured with brute force protections, locking the device for an amount of time if too many failed login attempts are made. We believe that iOS and Android both do this by default, however, it is vital you confirm on your own devices that this is the case. For BYOD, you will need to ensure you have an airtight BYOD policy that advises what level of configuration is required, and for corporate devices you will need to ensure the relevant settings are applied before the handset is provided to the end user (and spot checks conducted to confirm compliance).
Below are the new questions you will be asked during Self-Assessment to confirm this:
- A5.10. When a device requires a user to be present, do you set up a locking mechanism on your devices to access the software and services installed?
- A5.11. Which method do you use to unlock the devices and what brute force protection is in place?
Please note that this will be validated during Cyber Essentials Plus.
It is a scheme requirement that all operating systems, firmware, and installed applications (including on BYOD devices) be supported by the vendor and receive security updates. If any device/software is unsupported and, within scope, you will not achieve Cyber Essentials certification unless those devices/software are moved to out-of-scope sub-set (this can only be done during the Self-Assessment phase and not during the Cyber Essentials Plus audit), so it is vital that you keep a regularly updated register for all of the above that tracks the EOL dates, how it should be patched, what devices the OS/software is installed on, and maintain it to ensure compliance.
During your Self-Assessment you will be required to declare the versions of your OS, Office applications, Email clients and Browsers across all devices (including BYOD) however, it is important to understand that the controls are not limited to these types of software and applies to everything installed on a device. ALL software must be set to automatically update, and if this is not supported or configured, you must declare on the Self-Assessment what other method you use to deploy updates within the 14-day time frame for all Critical and High security vulnerabilities as set out by the scheme. Before your certification you should ensure your register is up to date, and for each installed software, ensure that automatic updates are applied and if they are not available ensure there is a robust plan for patching these systems manually as required.
During Cyber Essentials Plus, a vulnerability scan will be performed on a sample of your devices. If any critical/high vulnerabilities are identified, they will need to be remediated and the root cause investigated. In previous years, only missing patches that met very specific CVSSv3 metrics were required to be patched to pass, however as of January 24th, 2022 this will change. Any vulnerability, as described by the vendor as a critical or high, will now need to be patched to pass - this significantly raises the bar for passing Cyber Essentials Plus bringing it in line with the questions asked in the Self-Assessment.
We find that organisations that allow users local administrative privilege to their device often fail during the vulnerability scan sub-test on a Cyber Essentials Plus audit as there is frequently software installed that has not been configured by the IT department and therefore isn’t following corporate policy by way of enabling automatic updates and then gets forgotten about when no longer required. Our suggestion is that if any staff member requires additional software for their job, a process is put in place for them to contact your IT team so that the software can be added to the asset register, licensed correctly, configured for automatic updates and removed when no longer necessary to prevent this occurring.
Important Note: The scheme is only interested in software being supported and critical/high security updates applied within 14 days. Feature updates that do not address critical/high security updates do not need to be applied to pass.
As of 2023, all unsupported applications will need to be moved to a subnet with no inbound/outbound internet connectivity, i.e. a sub-set as defined by Cyber Essentials, to be considered compliant with the scheme. At present, unsupported applications would attract a major non-compliance and, in some circumstances, you may still be able to pass Cyber Essentials certification, however as of 2023 it will need to have been moved to a sub-set. We would suggest looking to get ahead of this change and moving such services to their own VLAN or firewall off this network completely from internet access. It will not be acceptable to use a software firewall to descope these servers/applications. If you have legacy software that needs to be connected to the internet, you need to VLAN/Firewall off this software (at least 1 additional "hop") and explicitly declare this as out of scope - you will not be able to achieve "Full Organisation" certification in this instance and devices within this network should not be able to contact the in-scope network at all.
The scheme requirements surrounding password-based authentication have changed, and you will need to prepare your systems, people, policies and training to match these changes. There is a new dedicated section to address this in the questionnaire, updated guidance in the requirements document, and more explicit questions to ensure that all systems requiring password-based authentication are protected against brute force attacks.
It is a requirement to ensure brute force password guessing attempts are mitigated for by:
- Using MFA on all accounts, or
- Throttling Login Attempts, or
- Account Lockouts
You will now be asked to explicitly declare which option(s) your organisation chooses to implement and describe how this is done on your Self-Assessment for all devices/on-prem/cloud services. As always, further information is found in the new “Requirements for Infrastructure v3” document, and you must read and understand this.
For all authentication mechanisms (including cloud) you need to use technical controls to implement one of the following:
- using multi-factor authentication (with minimum 8-character passwords), OR
- a minimum password length of at least 12 characters, with no maximum length restrictions, OR
- a minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list (note that not all services will offer this, and evidence will be required to be provided during Cyber Essentials Plus that this is in place)
Important note: Regarding cloud services specifically, it is now a requirement to implement MFA on all Administrator accounts (IaaS, PaaS and SaaS) as of January 24th 2022 (if you are certifying under the Evendine CE scheme version). As of 2023, it will become a requirement that all administrator and user accounts are protected by 2FA, so taking the time to confirm that this functionality is place is vital to achieving certification.
You need to ensure that all personnel at your organisation are supported with training/guidance in choosing strong passwords by:
- educating people on how to avoid common or discoverable passwords, such as a pet's name, common keyboard patterns or reusing passwords used elsewhere. This could include teaching people to use the password generator feature built into some password managers
- encouraging people to choose longer passwords. This can be done by promoting the use of multiple words (a minimum of three) to create a password, (e.g., 'Three Random Words')
- providing usable secure storage for passwords (for example a password manager or secure locked cabinet) with clear information about how and when it can be used
- not enforcing regular password expiry
- not enforcing password complexity requirements
ALL staff need to be aware of the established process for changing passwords promptly when becoming aware of or suspecting that an account password has been compromised. This ensures that in the event of compromise, the potential impact can be minimised.
Within this section, we have discussed what we think the best approach is to ensure compliance with the scheme’s password-based authentication changes. As MFA is not available on all services (for example, currently it is not natively available on AD), and not every service will have the ability to block common passwords (for example, this is available functionality for AzureAD, but not natively available on on-premise AD without additional software), the easiest option is likely to increase your minimum password requirements for all services to 12 characters for all standard user and administrator accounts. That said, MFA certainly provides the best levels of protection and should be implemented on all services wherever this is supported. MFA that uses SMS is considered compliant, although it is often argued that this is not the most secure method of implementing MFA.
In addition to changes made to the Cyber Essentials scheme requirements, further changes have been made to the Cyber Essentials Plus certification and auditing process bringing it more in line with the Self-Assessment. In previous years there was some degree of disconnect between the two certifications. Below is a quick summary of the key changes (as we currently understand them) and how they might affect you during an audit.
As of yet (December 16th, 2021), the new "Illustrative Test Specification" document that guides CE Plus assessors on what tests need to be performed during an audit has not been released. On that basis, it is hard to say exactly what the full process for CE Plus on the Evendine version of the CE scheme will look like, however we have been advised by IASME of a couple of changes this year so far:
The key difference this year is that all Cloud services are now in scope of Cyber Essentials and cannot be excluded, and so a further inspection of these services and their configuration will be required.
A new sub-test has been added to Cyber Essentials Plus. It is now a requirement for the assessor to confirm that MFA is applied to all cloud services for all administrative accounts. Cloud services with no MFA for admin accounts will be marked as a failure for that sub-test unless remediated. The process for testing will likely be a guided tour of all your cloud services and an inspection of the user account configuration process, along with a practical demonstration to show that MFA is working on all cloud service’s administrative accounts.
As of 2023, all standard user accounts will also require MFA and this test will likely apply to those accounts too, however we do not yet need to test this (it would be worth making plans for this now!).
The scheme requirements make it clear that all services should have rate limiting/account lockouts in place where MFA is not available on all user accounts and/or services (the same as previous years), and that ports are only opened when there is a documented business case and rules removed when no longer required. It may be worth, during your preparation exercises, to confirm that all these settings are still in place.
On that basis, we suggest auditing all your organisations cloud services ahead of your Cyber Essentials journey or renewal, confirming that MFA is applied to all administrative accounts. You will need to provide a list of all cloud services during your Self-Assessment, so this is a perfect time to take stock and investigate your level of compliance ahead of your Cyber Essentials Plus audit ensuring that you don't get any horrible surprises. It is not currently clear what the overall effect of having cloud services that do not offer MFA at all is, so please discuss this with your assessor at time of certification.
1.12.2. Internal Testing - Additional Test Added (confirming standard users are not also administrator)
A new sub-test has been added to the internal testing during a Cyber Essentials Plus audit. On all end user devices in the test sample, your assessor will now be required to confirm that the user of the machine is not running as an administrator account for day-to-day work. This will likely be tested by attempting to install a benign program from a “.msi” file to confirm that UAC requires the user enter a separate set of credentials, and by checking membership of the local ‘Administrators’ group, and equivalent.
As the scheme requirement has always been for all users (including IT) to be provided separate user accounts for day-to-day work, this shouldn't be much of a shock, however if you suspect there may be fringe cases within your organisation or the potential that some end user accounts may be running with administrative privileges, then we suggest this is investigated before your audit.
For MacOS/Linux devices specifically, please note that there must be account separation between the user account (used for day-to-day work like email/web browsing) and the administrative account of the machine. It is not compliant for a user to be a part of the "sudo" user group - there must be complete separation.
In the past, some organisations have provided a "representative" temporary test user account during a Cyber Essentials Plus audit for conducting the desktop test-cases. Due to the inclusion of this subtest, it seems impossible for this to be an option and all testing must be conducted on live user accounts. To help facilitate this testing, we have recently acquired a licence of Splashtop allowing your assessor to connect to desktops of live users without needing to provide us their password.
During your previous Cyber Essentials Plus audits you will no doubt have been explained that, when a vulnerability is identified when performing a Credentialed Nessus scan of your end user devices (normally a missing patch), that the vulnerability identified needs to meet specific CVSSv3 metrices to be considered a failure, and if these were met then that software would need to be patched.
In many instances, this would result in some Critical/High vulnerabilities being present on audited systems that didn't need to be patched, often because the vulnerability was only exploitable on the local machine, user interaction might have been required or there was no exploit code available online.
This has now changed. It is now a requirement that all critical and high vulnerabilities as described by the vendor must be patched, regardless of the CVSSv3 metric. This significantly raises the bar for Cyber Essentials Plus over previous years.
The best way to prepare for this change is by reviewing your software approval, installation, and maintenance processes are robust enough to ensure that:
- Any software (including third party software such as VLC, Adobe Reader etc) installed on your devices should be logged somewhere and configured to either automatically update where possible or added to your patch management software
- All unnecessary software is removed either at deployment or retrospectively when no longer required (including bloatware)
- Deploying software that allows you to see what software is installed on remote devices would also be a huge benefit
- Perform your own vulnerability scan using Nessus on a credentialed patch audit and ensure all similar builds have remediation conducted
- All software is authorised and installed by IT, even where end users may have separate administrative accounts
Remember, BYOD devices must mee the same controls as corporate owned devices AND during your Self-Assessment, you will be required to list the Make/Model/OS of BYOD devices, along with some information about what is installed on those devices (such as Office software, Browsers, Email Clients, AV) and ensure it is all supported/up to date/scheme compliant.
This is incredibly challenging, and from experience organisations do not tend to pass Cyber Essentials Plus when BYOD laptops/desktops are allowed. On this basis, we suggest that you consider whether BYOD laptops/desktops are needed, and if so, you will need to ensure all devices meet the controls set out in the scheme. A sample of these devices will need to be tested during a Cyber Essentials Plus audit, so you will need to ensure your agreement with staff using BYOD includes a provision for an external company to perform testing on their device.