The HBP Group Blog / Latest Articles

Changes to Cyber Essentials Accreditations

2 min read

Phil Denham
Phil Denham key responsibilities lie in marketing; ensuring that businesses are aware of the products, services and expertise available from The HBP Group.

As expected, there have been some significant changes and updates to the process of achieving a Cyber Essentials certification this year which will effect both the price to be become accredited as well as the time needed to meet the requirements.

Firstly, a new tiered pricing structure has been put in place which will see certification prices increase from the flat fee of £300 for all businesses to between £400 and £600, depending on employee numbers. Furthermore, additional requirements around home workers, multi factor authentication and PIN code policies will all require additional time and work to ensure that businesses are compliant.

The new pricing structure will work as follows and has come into force from January 24th 2022:

  • Micro organisations (0-9 employees) – £400
  • Small organisations (10-49 employees) – £500
  • Medium organisations (50-249 employees) – £550
  • Large organisations (250+ employees) – £600

We strongly advise you to budget for these changes which as well as increasing your accreditation fee could incur between 1-3 days labour time to bring you up the standard for the additional requirements.

The key changes that have been made that will affect the time required to achieve the Cyber Essentials accreditations are as follows:

 

“Home workers” now includes anyone, for any period of working from home (no longer only contracted home workers)

The implication here, is that devices being used for home working need to be as secure and compliant as a device in the office. Even if the home working is ad-hoc. Obviously a lot of concessions were made around security when everyone rushed to work from home in 2020 but these concessions have now been removed. It’s also worth noting the personal/home routers and firewalls are out of scope, so their work devices must have all required software and tools set up and Directors of a business may have their IP’s requested for CE+ audits.

 

Laptops, Desktops, Virtual Devices: All hardware needs to be checked and Thin clients, hosts etc must all be receiving updates and in support by their vendors 

Computer hardware being used within a business now needs to be verified as still supported by the manufacturer. We will require hardware makes, models and serial numbers, and all of them must be updated in terms of firmware, on top of operating system updates.

 

RDP – Data

Any device connecting into RDP sessions within the business will be considered as “in-scope” so this means any non-business devices will need to have the required security tools in place (firewall, VPN, Anti Virus etc)

 

BYOD must have a firewall policy (can be written)

All Bring Your Own Device networks must now have firewall policies to show as evidence. These can be a written policy, but they need to exist within the business.

 

Requirement for Multi Factor Authentication on firewalls

Firewall access must now be locked-down further. With a requirement for multi-factor authentication. There is work that can be done to satisfy the requirements by other means such as only allowing access from specific IP addresses etc (conditional access).

 

External services on custom web services required to meet security checks

Where a customer may have developed bespoke web services, these are now in-scope to be checked and verified as meeting specific security requirements.

 

How do users unlock devices? Password length, PIN code length (now 6 digits)

Device security requirements have increased in terms of password and PIN code policies. Mobile phones must now be a minimum of 6 digits for their PIN. Administrative users must all use a method of Multi Factor Authentication.

 

MFA on all cloud services for admin accounts

All administrative accounts require MFA, especially on cloud-based services.

 

In future changes, all account will likely need MFA as a standard feature, so this is worth considering as we work with customers over the next 12 months to help them meet security milestones.

If you need any assistance or more information about these changes then please contact us.