As expected, there have been some significant changes and updates to the process of achieving a Cyber Essentials certification this year which will effect both the price to be become accredited as well as the time needed to meet the requirements.
Firstly, a new tiered pricing structure has been put in place which will see certification prices increase from the flat fee of £300 for all businesses to between £400 and £600, depending on employee numbers. Furthermore, additional requirements around home workers, multi factor authentication and PIN code policies will all require additional time and work to ensure that businesses are compliant.
The new pricing structure will work as follows and has come into force from January 24th 2022:
- Micro organisations (0-9 employees) – £400
- Small organisations (10-49 employees) – £500
- Medium organisations (50-249 employees) – £550
- Large organisations (250+ employees) – £600
We strongly advise you to budget for these changes which as well as increasing your accreditation fee could incur between 1-3 days labour time to bring you up the standard for the additional requirements.
The key changes that have been made that will affect the time required to achieve the Cyber Essentials accrediations are as follows:
“Home workers” now includes anyone, for any period of working from home (no longer only contracted home workers)
The implication here, is that devices being used for home working need to be as secure and compliant as a device in the office. Even if the home working is ad-hoc. Obviously a lot of concessions were made around security when everyone rushed to work from home in 2020 but these concessions have now been removed. It’s also worth noting the personal/home routers and firewalls are out of scope, so their work devices must have all required software and tools set up and Directors of a business may have their IP’s requested for CE+ audits.
Laptops, Desktops, Virtual Devices: All hardware needs to be checked and Thin clients, hosts etc must all be receiving updates and in support by their vendors
Computer hardware being used within a business now needs to be verified as still supported by the manufacturer. We will require hardware makes, models and serial numbers, and all of them must be updated in terms of firmware, on top of operating system updates.
RDP – Data
Any device connecting into RDP sessions within the business will be considered as “in-scope” so this means any non-business devices will need to have the required security tools in place (firewall, VPN, Anti Virus etc)
BYOD must have a firewall policy (can be written)
All Bring Your Own Device networks must now have firewall policies to show as evidence. These can be a written policy, but they need to exist within the business.
Requirement for Multi Factor Aauthentication on firewalls
Firewall access must now be locked-down further. With a requirement for multi-factor authentication. There is work that can be done to satisfy the requirements by other means such as only allowing access from specific IP addresses etc (conditional access).
External services on custom web services required to meet security checks
Where a customer may have developed bespoke web services, these are now in-scope to be checked and verified as meeting specific security requirements.
How do users unlock devices? Password length, PIN code length (now 6 digits)
Device security requirements have increased in terms of password and PIN code policies. Mobile phones must now be a minimum of 6 digits for their PIN. Administrative users must all use a method of Multi Factor Authentication.
MFA on all cloud services for admin accounts
All administrative accounts require MFA, especially on cloud-based services.
In future changes, all account will likely need MFA as a standard feature, so this is worth considering as we work with customers over the next 12 months to help them meet security milestones.
If you need any assistance or more information about these changes then please contact us.