Cyber Essentials Update 2022 – what you need to know

Nicky Whiting Headshot
Written by Nicky Whiting
Director of Consultancy Division
24/01/2022

In what is being described as the most significant update to the scheme since it launched in 2014, the National Cyber Security Centre (NCSC) has announced that the technical controls for Cyber Essentials and Cyber Essentials Plus will be updated as of 24th January 2022.

The change is to bring the scheme in-line with the evolving cyber security challenges that organisations now face, particularly around the adoption of cloud services and hybrid working.

This refresh will impact any organisation looking to gain their Cyber Essentials or Cyber Essentials Plus certification, whether for the first time or as a renewal. Here you’ll find the details on what you need to know for your upcoming Cyber Essentials assessment.


What is changing with Cyber Essentials?

Due to the global pandemic of COVID-19, the way in which businesses operate has drastically changed over a relatively short amount of time. To continue operating, most businesses had to go fully digital and allow a remote or hybrid working model. It is this digital transformation and rapid adoption of cloud services that has prompted the NCSC and IASME to implement changes to the existing Cyber Essentials scheme to ensure organisations uphold a basic level of cyber resilience which reflect the current working environments and cyber security risks.

Some of the key updates to Cyber Essentials will specifically cover changes to cloud services and web applications, bring your own device (BYOD), and security updates including password management and multi-factor authentication (MFA). There is also new guidance on backing up data and new requirements on device locking. Some key things to be aware of:

  • Some questions have been updated with explanations/more details that are needed in your answer.
  • Cloud services are now in scope of your basic and Plus assessments.
  • There are some elements of the scheme that will be advisory for the next 12 months, such as rolling out MFA on all cloud services. Come 2023, if you still haven’t done this, that advisory will turn into a fail on your next renewal. So, you have been warned!
  • The Cyber Essentials Plus test will include a local admin rights check and a MFA test for each workstation tested.
  • More workstations may be needed for testing.

When does the change take place and what do you need to know?

Here are the key dates you need to know about and how they may affect you on your journey to achieving Cyber Essentials certification.

Key Dates
  • 24th January 2022: the updated version of Cyber Essentials and Cyber Essentials Plus comes into force.
  • 24th July 2022: organisations have 6 months from January 24th 2022 to complete ongoing Cyber Essentials assessments and undertake assessments already scheduled before this date against the current standard.
  • January 2023: further changes proposed to Cyber Essentials and Cyber Essentials Plus (yet to be announced).

Organisations who are already certified will remain so until they need to renew. In preparation for recertification, it is recommended organisations familiarise themselves with the new Cyber Essentials requirements commencing January 24th 2022.


Cyber Essentials price change

Soon after announcing changes to the Cyber Essentials question set, the NCSC and IASME also released news that there would be a new tiered pricing structure for the scheme, coming into effect at the same time.

The tiered pricing structure - which adopts the internationally recognised definition of business size - is shown in the table:

Micro organisations (0-9 employees)Small organisations (10-49 employees)Medium organisations (50-249 employees)Large organisations (250+ employees)
£300 +VAT£400 +VAT£450 +VAT£500 +VAT

What does the Cyber Essentials assessment involve?

There are two levels of certification: Cyber Essentials and Cyber Essentials Plus, with the latter a more advanced assessment of an organisations’ security.

Cyber Essentials

To achieve basic certification, a business must complete a self-assessment form regarding current security policies, software updates and the measures in place covering security best practices. Most businesses choose to work with a Certification Body to help them with the process. At Bulletproof, our certified Cyber Essential Assessors aid businesses with their Cyber Essentials certification by reviewing answers and providing guidance ahead of submitting the assessment to IASME, the Accreditation Body.

Cyber Essentials Plus

To achieve Cyber Essentials Plus, a business must first also complete the basic Cyber Essentials certification a maximum of 90 days prior to applying for the Cyber Essentials Plus. Vulnerability scans and a workstation assessment, along with remediation of any uncovered security risks is then required to pass the Cyber Essentials Plus certification. The difference between Cyber Essentials and Cyber Essentials Plus is that the latter will require an assessor to conduct technical audits on the businesses systems to authenticate that Cyber Essentials controls are in place.


Conclusion

Cyber Essentials remains an important first step in making sure your business is protected against a wide variety of cyber threats. It’s cost-effective, easy to implement and will ensure businesses deter hackers from targeting their infrastructure once the necessary Cyber Essentials technical controls are in place.

The new changes to Cyber Essentials have been imposed to strengthen businesses cyber resilience and comes at a pivotal time as the NCSC recognise that evolving working practices mean the threat landscape of a cyberattack looms larger than ever before. The changes to the scheme will mean achieving Cyber Essentials certification becomes more in-depth and businesses can have greater peace of mind that they are adhering to the basic level of cyber security, protecting their infrastructure and their workforce.

Pass Cyber Essentials & Cyber Essentials Plus with confidence

Prevent breaches and win customers with our flexible Cyber Essentials & Cyber Essentials Plus packages.

Learn more

Related resources

Our experts are the ones to trust when it comes to your cyber security

CREST approvedCREST approvedCREST approved
Payment card industry data security standardPayment card industry data security standardPayment card industry data security standard
ISO 27001 certifiedISO 27001 certifiedISO 27001 certified
ISO 9001 certifiedISO 9001 certifiedISO 9001 certified
Government G-Cloud supplierGovernment G-Cloud supplierGovernment G-Cloud supplier
Crown commercial service supplierCrown commercial service supplierCrown commercial service supplier
Cyber EssentialsCyber EssentialsCyber Essentials
Cyber Essentials PlusCyber Essentials PlusCyber Essentials Plus

Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

For more information about how we collect, process and retain your personal data, please see our privacy policy.