What are the changes to Cyber Essentials?

April 26th 2022 Update

  1. An update to the Bring Your Own Device (BYOD) 
  • User-owned devices which access organisational data or services are in scope (native voice and SMS text applications are out of scope alongside multi-factor authentication usage). 
  • Clarification on when and where software firewalls are acceptable as the internet boundary. 
  • A boundary firewall is a network device which can restrict the inbound and outbound network traffic to services on its network of computers and mobile devices. It can help protect against cyber-attacks by implementing restrictions, known as ‘firewall rules’, which can allow or block traffic according to its source, destination and type of communication protocol. 

Alternatively, where an organisation does not control the network that a device is connected to, a host-based firewall must be configured on a device.  

This works the same way as a boundary firewall but only protects the single device on which it is configured. This approach can provide for more tailored rules and means that the rules apply to the device wherever it is used. However, this increases the administrative overhead of managing firewall rules. 

Security update management 

  1. The name ‘patch management’ control has been changed to ‘security update management’. 
  1. This will include automatic updates where possible and clarify the position on updates that do not include details of the level of vulnerabilities that the respective update fixes. 

The Applicant must keep all its software up-to-date. Software must be:  

  • licensed and supported  
  • removed from devices when no longer supported  
  • have automatic updates enabled where possible  
  • updated, including applying any manual configuration changes required to make the update effective, within 14 days* of an update being released, where:  
  • the update fixes a vulnerability with severity the product vendor describes as ‘critical’ or ‘high risk’  
  • there are no details of the vulnerability severity level of the update fixes provided by the vendor.  

For optimum security and ease of implementation, it is strongly recommended that all released updates be applied within 14 days. Any longer would constitute a serious security risk while a shorter period may not be practical.  

  1. User access control has been expanded to include third-party accounts that have access to the certifying organisation’s data and services. 

The Applicant must be in control of its user accounts and the access privileges granted to each user account that has access to the organisation’s data and services. This means the Applicant must: 

  • have a user account creation and approval process  
  • authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)  
  • remove or disable user accounts when no longer required (when a user leaves the organisation) 
  • implement two-factor authentication, where available  
  • use administrative accounts to perform administrative activities only
  • remove or disable special access privileges when no longer required (when a member of staff changes role) 

If you have any further questions regarding Cyber Essentials, please email info@d2na.com or call us on 03301 59 59 69. Click Here to request a Cyber Essentials Quote. 

cyber essentials


500 King Street, Longton, Stoke-on-Trent, ST3 1EZ

Need Help?