Technical controls update includes revisions surrounding the use of cloud services, multi-factor authentication, and password management. New pricing structure better reflects organisational size and complexity. Credit: Bet Noire / Ivanastar / Getty Images The UK’s National Cyber Security Centre (NCSC) is updating its requirements for the Cyber Essentials scheme, a government-backed certification that helps UK organisations defend against common cyberthreats. The update is in response to the evolving cybersecurity challenges that organisations now face and represents the most significant overhaul of the scheme’s technical controls since it was launched in 2014. The NCSC is also introducing a new Cyber Essentials pricing structure which better reflects organisational size and complexity.Technical controls update reflects modern cybersecurity landscapeNCSC said the technical controls refresh reflects the impact of digital transformation, adoption of cloud services, and move to home/hybrid working on current working and cybersecurity norms. The update includes revisions surrounding the use of cloud services, multi-factor authentication (MFA), and password management. Changes have been implemented with input from NCSC technical experts and are based on feedback from assessors and applicants, along with consultation with the Cloud Industry Forum.The new version of the Cyber Essentials technical requirements will officially release on January 24, 2022. All Cyber Essentials applications starting on or after this date will use the updated version, although the NCSC stated there will be a grace period of up to 12 months for some of the requirements. Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected. Speaking to CSO, Cyber Essentials certification provider Richard Andreae says the new revisions are much needed and will help businesses better secure organisational data. “The biggest changes to the requirements are the inclusion of cloud services; this is well overdue as most businesses today use these services and now, they are required to make sure that these services are as secure as those of their in-house systems,” he says. A lot of the questions have been tweaked to remove ambiguity, and with this the marking will become tougher, Andreae adds. “Any organisation applying for certification after January 24 will be expected to have a better understanding of the security they have available in their cloud services, in particular the use of MFA. This could impact businesses in a big way, as having to implement MFA for all cloud services could be time consuming and disruptive. Another potentially costly and disruptive change is the inclusion of thin clients to the scope. If an organisation is using thin clients on unsupported operating systems, then these will need to be updated.”New pricing structure adopts internationally recognised definition for enterprise sizeAlong with the technical controls update, the NCSC is implementing a new pricing structure, which also launches on January 24. This structure adopts the internationally recognised definition for micro, small, medium and large enterprises. Currently, all assessments are charged at £300. However, while the price will remain £300 plus VAT for micro organisations (up to nine employees), small (10 to 49 employees), medium (50 to 249 employees), and large organisations (more than 250 employees) will be required to pay more – £400, £450, and £500 (all plus VAT), respectively. Commenting on the pricing restructure, NCSC’s head of commercial assurance services Anne W, said: “This price change reflects the increasing levels of rigour that go into every assessment. While Cyber Essentials is designed to help any organisation attain a minimum level of cybersecurity, the assessment process can be quite complex. We want to continue to ensure this important scheme remains accessible to every business, no matter their size.” Related content news analysis Global stability issues alter cyber threat landscape, ESET reports With conflict on the rise, regional APT groups are increasing activity, altering focus, and putting specific industries in their crosshairs. Here’s what CISOs should know. By Evan Schuman May 20, 2024 4 mins Advanced Persistent Threats Cyberattacks Threat and Vulnerability Management feature The inside story of Cyber Command’s creation Cartoons, Starbucks cards, and Hollywood storyboards: The ‘Four Horsemen of Cyber’ — CISA’s Jen Easterly, Lt. Gen. S.L. Davis, retired US Navy Vice Admiral T.J. White, and former NSA chief Paul Nakasone — revealed at RSA By Cynthia Brumfield May 20, 2024 8 mins Aerospace and Defense Industry CSO and CISO Military news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe