Changes to the Cyber Essentials scheme in 2022
Cyber Essentials is a UK government scheme designed to help organisations of all sizes guard themselves against the most common Internet-based cyber security threats and demonstrate their commitment to cyber security. From 1 April 2020, the IASME Consortium (IASME) became the Cyber Essentials partner with the NCSC (National Cyber Security Centre). On January 24th 2022, some of the technical control requirements changed in line with recommended security updates to reflect the changing cyber threats in today’s digital environment.
What is required for certification to Cyber Essentials Plus?
Cyber Essentials Plus provides a more advanced level of assurance and includes a technical audit of the systems that are in scope for Cyber Essentials. Organisations applying for Cyber Essentials Plus must also pass an on-site or remote assessment, internal vulnerability scans, plus an external vulnerability scan conducted by the certification body such as ourselves.
How long will it take between submitting our online SAQ and receiving our certificate?
For Cyber Essentials Plus, it is possible to get from application to certification within three days day, depending on your current security setup and speed of action. However, most organisations take about a fortnight to complete the assessment.
What can we expect from the Cyber Essentials Plus application process?
Your Cyber Essentials Plus package will be automatically fulfilled on purchase. Once the purchase is completed, you will:
- Receive confirmation of your purchase to the email address you provided.
- If you have opted for some support hours, our projects team will contact you to arrange the support.
- Our projects team will be in touch to arrange a date and time to conduct the technical assessment.
Once the assessment is complete, your assessors will provide feedback on the result.
If the result is a ‘pass’:
- A Cyber Essentials Plus certificate will be issued for you to download from the IASME portal, along with a copy of your assessment and branding information on how you can display your certification mark.
- The Cyber Essentials Plus certification process is complete, and your certificate is valid for 12 months.
If the result is a ‘fail’ or ‘more information’:
- Review the feedback provided by your assessor. If you have purchased a Cyber Essentials package that includes consultancy support and you have support time remaining, one of our cyber security experts can help you understand how to address any non-compliant areas.
- You have up to ten working days to fix the issues identified and let our projects team know you are ready to reassess.
- If you receive a second fail or do not resubmit within ten working days, you will need to buy a new package and complete the process again.
You have six months from the purchase date to complete your application. IASME manages the archiving of applications and you will need to purchase a new package to continue.
Can we still use Windows 7 or Windows 2008 Server?
No, this would be regarded as an instant fail as the software is unsupported (both went End of Life in January 2020). In circumstances where your organisation has paid for Extended Security Updates (ESU) from Microsoft for every device that is unsupported, this will be considered permissible as technically the software is supported.