Login into account in email envelope and fishing hook
Chris Grant (he/him) March 25, 2023 A 3 minute read

Upcoming Changes to the Cyber Essentials Scheme

The Cyber Essentials scheme is an essential part of the UK’s efforts to protect against cyber-attacks. It provides businesses of all sizes with a framework of security controls that they can implement to reduce the risk of a cyber breach. On 23rd January 2023, the National Cyber Security Centre (NCSC) published an updated set of requirements for the Cyber Essentials scheme, version 3.1, which will come into force on 24th April 2023.

The new requirements, known as the ‘Montpellier question set’, will replace the Evendine version that was in place in the previous year. The changes are designed to reflect the evolving threat landscape and ensure that the Cyber Essentials scheme remains relevant and effective in the face of new and emerging threats.

So, what are the key changes that businesses need to be aware of?

One of the most significant changes is the introduction of new requirements around supply chain security. This reflects the fact that many cyber-attacks are now initiated through third-party suppliers, rather than through a direct attack on the target business. The new requirements will mean that businesses need to ensure that their supply chain partners are also adhering to Cyber Essentials principles.

Another notable change is the requirement for businesses to demonstrate that they have an incident response plan in place. This means that they need to have a clear and documented process for responding to a cyber-attack, including who is responsible for what, and how they will communicate with key stakeholders.

The new requirements also include more stringent controls around password management, as well as additional guidance on patching and software updates.

Overall, the changes to the Cyber Essentials scheme are designed to ensure that businesses are better protected against the evolving threat landscape. By implementing the new requirements, businesses can reduce their risk of a cyber-attack and demonstrate to customers and stakeholders that they take cyber security seriously. With the Montpellier question set coming into force on 24th April 2023, businesses should start preparing now to ensure that they are ready to meet the new requirements.

In addition to the changes mentioned above, there are several other updates that businesses should be aware of.

These include:

  • Increased emphasis on risk management: The new requirements place a greater emphasis on risk management, and businesses will need to demonstrate that they have a risk management strategy in place. This will involve identifying the risks that they face, assessing the likelihood and potential impact of those risks, and implementing controls to mitigate them.
  • More detailed guidance on mobile device security: With the increasing use of mobile devices in the workplace, the new requirements include more detailed guidance on how to secure mobile devices. This includes requirements around encryption, remote wipe capabilities, and access controls.
  • Greater focus on physical security: While cyber-attacks are often associated with online threats, physical security is also an important consideration. The new requirements include more detailed guidance on physical security, such as ensuring that servers and other equipment are stored in secure locations and that access to sensitive areas is restricted.

It’s worth noting that while the changes to the Cyber Essentials scheme are designed to improve security, they are not a guarantee against cyber-attacks. Businesses should view the scheme as a baseline set of controls that they can implement to reduce their risk, but they should also consider additional measures to further strengthen their security.

The changes to the Cyber Essentials scheme represent a crucial step in ensuring that businesses are better protected against cyber-attacks. By implementing the new requirements, businesses can demonstrate that they take cyber security seriously and are taking steps to reduce their risk. With the new requirements coming into force on 24th April 2023, businesses should start preparing now to ensure that they are ready to meet the new standards.