Technical controls update includes revisions surrounding the use of cloud services, multi-factor authentication, and password management. New pricing structure better reflects organisational size and complexity. Credit: Bet Noire / Ivanastar / Getty Images The UK’s National Cyber Security Centre (NCSC) is updating its requirements for the Cyber Essentials scheme, a government-backed certification that helps UK organisations defend against common cyberthreats. The update is in response to the evolving cybersecurity challenges that organisations now face and represents the most significant overhaul of the scheme’s technical controls since it was launched in 2014. The NCSC is also introducing a new Cyber Essentials pricing structure which better reflects organisational size and complexity.Technical controls update reflects modern cybersecurity landscapeNCSC said the technical controls refresh reflects the impact of digital transformation, adoption of cloud services, and move to home/hybrid working on current working and cybersecurity norms. The update includes revisions surrounding the use of cloud services, multi-factor authentication (MFA), and password management. Changes have been implemented with input from NCSC technical experts and are based on feedback from assessors and applicants, along with consultation with the Cloud Industry Forum.The new version of the Cyber Essentials technical requirements will officially release on January 24, 2022. All Cyber Essentials applications starting on or after this date will use the updated version, although the NCSC stated there will be a grace period of up to 12 months for some of the requirements. Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected. Speaking to CSO, Cyber Essentials certification provider Richard Andreae says the new revisions are much needed and will help businesses better secure organisational data. “The biggest changes to the requirements are the inclusion of cloud services; this is well overdue as most businesses today use these services and now, they are required to make sure that these services are as secure as those of their in-house systems,” he says. A lot of the questions have been tweaked to remove ambiguity, and with this the marking will become tougher, Andreae adds. “Any organisation applying for certification after January 24 will be expected to have a better understanding of the security they have available in their cloud services, in particular the use of MFA. This could impact businesses in a big way, as having to implement MFA for all cloud services could be time consuming and disruptive. Another potentially costly and disruptive change is the inclusion of thin clients to the scope. If an organisation is using thin clients on unsupported operating systems, then these will need to be updated.”New pricing structure adopts internationally recognised definition for enterprise sizeAlong with the technical controls update, the NCSC is implementing a new pricing structure, which also launches on January 24. This structure adopts the internationally recognised definition for micro, small, medium and large enterprises. Currently, all assessments are charged at £300. However, while the price will remain £300 plus VAT for micro organisations (up to nine employees), small (10 to 49 employees), medium (50 to 249 employees), and large organisations (more than 250 employees) will be required to pay more – £400, £450, and £500 (all plus VAT), respectively. Commenting on the pricing restructure, NCSC’s head of commercial assurance services Anne W, said: “This price change reflects the increasing levels of rigour that go into every assessment. While Cyber Essentials is designed to help any organisation attain a minimum level of cybersecurity, the assessment process can be quite complex. We want to continue to ensure this important scheme remains accessible to every business, no matter their size.” Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe