www.fos.net Open in urlscan Pro
46.255.73.230  Public Scan

Form analysis
1 forms found in the DOM

#

<form action="#">
  <input type="text" placeholder="Search">
</form>

Text Content

Microsoft 365 Business Expert
 * 01708 344 223
 * * Contact

 * Home
 * About Us
   * About us
   * The team
 * Our Services
   * IT Support
   * Microsoft 365 Business
   * Managed Services
 * Testimonials
 * Insights
 * Blogs
 * Case Studies




BLOGS

 * Home
 * Blogs


SMALL BUSINESS CYBER ESSENTIALS UPDATE 2023

MARCH 02, 2023

Small Businesses approaching Cyber Essentials as a renewal, or for the first
time should be aware of new requirements relating to the certification.

This year, the changes to the scheme are as follows:




The definition of ‘software’ has been updated to clarify where firmware is in
scope


Software includes operating systems, commercial off-the-shelf applications,
plugins, interpreters, scripts, libraries, network software and firewall, and
router firmware. 

Firewall and router firmware is the operating system of those devices. As
firewalls and routers are key security devices, their operating systems and
whether they are kept up to date are extremely important from a security
perspective.


Cyber Essentials will require that all applicants list their laptops, desktops,
servers, computers, tablets, and mobile phones, with details of the make and
operating system. However, when it comes to firewalls and routers, the applicant
will only be asked to list make and model, but not the specific version of the
firmware. By asking for the make and model on these devices, the assessor will
be able to determine if the devices is still receiving security updates to the
firmware.





Asset management is important in Cyber Essentials 


In a similar vein to backing up data, asset management isn’t a specific Cyber
Essentials control, but it is a highly recommended core security function. By
including this subject in the Cyber Essentials requirements, the importance of
good asset management is being emphasised.


The requirements clarify that asset management doesn’t mean making lists or
databases that are never used, it means creating, establishing, and maintaining
authoritative and accurate information about your assets that enables efficient
decision-making when you need it. 





Clarification on including third-party devices 


All end-user devices that your organisation owns and that are loaned to a third
party must be included in the assessment scope. A new table gives clarity on
which third-party devices are in scope for Cyber Essentials.   It aims to answer
frequent questions about consultants, volunteers, and third parties.  When the
third-party device has a green tick, it is in scope and the applicant
organisation needs to demonstrate that they can apply the required controls via
a combination of technical and written policy. For example, if an in-scope
third-party BYOD connects to an organisational Office 365, the organisation can
create a conditional access policy that says if the device doesn’t have a
supported operating system, it won’t connect until the operating system is
updated.





Device unlocking 


This section has been updated to reflect that some configuration can’t be
altered because of vendor restrictions. Sometimes, an applicant might be using a
device where there are no options to change the configuration to meet the Cyber
Essentials requirements. One example of this is locking the device after 10
failed sign in attempts. Samsung, the largest provider of smartphones in the
world, has set its minimum sign-in attempts at 15, with no option to alter this
number.  So, in this instance, Cyber Essentials would require that the applicant
goes with the minimum number sign in attempts allowed by the device before
locking.





An updated ‘Malware protection’ section 

You must make sure that a malware protection mechanism is active on all devices
in scope. For each device, you must use at least one of the options listed
below.  In most modern products these options are built into the software
supplied. Alternatively, you can purchase products from a third-party provider. 
In all cases, the software must be active, kept up to date in accordance with
the vendors' instructions, and configured to work. If you use anti-malware
software to protect your device, it must be configured to:


Be updated in line with vendor recommendations


Prevent malware from running

Prevent the execution of malicious code

Prevent connections to malicious websites over the internet

Application allow listing (option for all in scope devices) 




Home Routers 

Home routers no longer being in scope. This means that any firewall controls
will be transferred to the individual’s device. The only exception to this
change is if the home worker’s router is supplied by their organisation, in
which case it must have Cyber Essentials controls applied to it. The impact of
this is to ensure that user devices have a satisfactory level of protection in
place. So, ensuring that solutions such as antivirus are up to date is
imperative.





Further Reading
https://www.ncsc.gov.uk/information/cyber-essentials-technical-controls-grace-period-update





For more about Cyber Essentials changes and implementing new security measures,
please contact your FOS.net account manager 









 * Unit H, The Business Centre, Faringdon Avenue, Romford, Essex, RM3 8EN.
 * www.fos.net

IT SERVICES

 * IT Support
 * Microsoft 365 Business
 * Managed Services

QUICK LINKS

 * The team
 * Testimonials
 * Blogs
 * Terms And Conditions
 * Privacy Statement

SUPPORT

 * IT Support
 * Insights

 * 

All Rights Reserved, © FOS.net 2022 Site By W4B
 * Home
 * About Us
   * About us
   * The team
 * Our Services
   * IT Support
   * Microsoft 365 Business
   * Managed Services
 * Testimonials
 * Insights
 * Blogs
 * Case Studies
 * Contact


×

ALERT

Are you sure you want to delete.


By using the FOS.net website you agree to our use of cookies as described in our
cookie terms. Agree