UK NCSC updates Cyber Essentials technical controls requirements and pricing structure

The UK’s National Cyber Security Centre (NCSC) is updating its requirements for the Cyber Essentials scheme, a government-backed certification that helps UK organisations defend against common cyberthreats. The update is in response to the evolving cybersecurity challenges that organisations now face and represents the most significant overhaul of the scheme’s technical controls since it was launched in 2014. The NCSC is also introducing a new Cyber Essentials pricing structure which better reflects organisational size and complexity.

Technical controls update reflects modern cybersecurity landscape

NCSC said the technical controls refresh reflects the impact of digital transformation, adoption of cloud services, and move to home/hybrid working on current working and cybersecurity norms. The update includes revisions surrounding the use of cloud services, multi-factor authentication (MFA), and password management. Changes have been implemented with input from NCSC technical experts and are based on feedback from assessors and applicants, along with consultation with the Cloud Industry Forum.

The new version of the Cyber Essentials technical requirements will officially release on January 24, 2022. All Cyber Essentials applications starting on or after this date will use the updated version, although the NCSC stated there will be a grace period of up to 12 months for some of the requirements. Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected.

Speaking to CSO, Cyber Essentials certification provider Richard Andreae says the new revisions are much needed and will help businesses better secure organisational data. “The biggest changes to the requirements are the inclusion of cloud services; this is well overdue as most businesses today use these services and now, they are required to make sure that these services are as secure as those of their in-house systems,” he says.

A lot of the questions have been tweaked to remove ambiguity, and with this the marking will become tougher, Andreae adds. “Any organisation applying for certification after January 24 will be expected to have a better understanding of the security they have available in their cloud services, in particular the use of MFA. This could impact businesses in a big way, as having to implement MFA for all cloud services could be time consuming and disruptive. Another potentially costly and disruptive change is the inclusion of thin clients to the scope. If an organisation is using thin clients on unsupported operating systems, then these will need to be updated.”

New pricing structure adopts internationally recognised definition for enterprise size

Along with the technical controls update, the NCSC is implementing a new pricing structure, which also launches on January 24. This structure adopts the internationally recognised definition for micro, small, medium and large enterprises. Currently, all assessments are charged at £300. However, while the price will remain £300 plus VAT for micro organisations (up to nine employees), small (10 to 49 employees), medium (50 to 249 employees), and large organisations (more than 250 employees) will be required to pay more – £400, £450, and £500 (all plus VAT), respectively.

Commenting on the pricing restructure, NCSC’s head of commercial assurance services Anne W, said: “This price change reflects the increasing levels of rigour that go into every assessment. While Cyber Essentials is designed to help any organisation attain a minimum level of cybersecurity, the assessment process can be quite complex. We want to continue to ensure this important scheme remains accessible to every business, no matter their size.”