Cyber Essentials: Understanding the Scope and Meeting the Requirements
Cyber Essentials is a cyber security scheme which provides organsiations with a framework of fundamental technical security controls which will protect against common cyber attacks. The Scheme, which is backed by the UK Government and owned by the National Cyber Security Centre (NCSC), focuses on the implementation of 5 key technical control themes: firewalls, patch management, access control, malware prevention, and secure configuration. When implemented effectively, these controls safeguard against 80% of the most common cyber attacks. The Scheme offers two levels of certification – Cyber Essentials (CE), and Cyber Essentials Plus (CE+).
In this blog, we will answer key questions about the scope of Cyber Essentials, the Scheme’s requirements and what you need to do to meet them. This blog does not represent an exhaustive breakdown of every Cyber Essentials requirement, but instead focuses on those that may not be entirely clear to organisations which are looking to certify.
What devices are in scope of Cyber Essentials?
Devices that your organisation owns will, generally, always be in scope for your CE certification. Most ‘bring your own device’ (BYOD) is also in scope, however there are some exceptions to this; BYOD used by managed service provider (MSP) administrators, customers, third-party contractors and students are all out of scope.
Does your entire organisation need to be included in your Cyber Essentials scope?
The best approach you can take to scoping is to certify your entire organisation against CE. For certain organisations, however, this may not be possible, as there may be areas of your organisation that cannot feasibly become CE compliant (often, this will be a research area or development network), and in these cases you are able to descope parts of your organisation. There are 2 main types of certificate descriptions your organisation can receive: ‘Whole Organisation’ and ‘Whole Organisation excluding…’ if you are descoping areas of your organisation, which will then be followed by the area you have descoped (e.g. ‘Whole Organisation excluding development network’). You will have the opportunity to define this in your answer to question A2.1, and, as CE is primarily focused on networks and the services and devices on them, this should form the basis for your descoping.
Can multinational organisations receive a ‘Whole Organisation’ Cyber Essentials certificate without certifying locations in other countries?
Yes – if your organisation is a multinational but is registered in the UK, it is considered a UK legal entity and can receive a ‘Whole Organisation’ certificate. You will need to add ‘everything included in the UK’ to your certificate description, but this does not negate the fact that your entire organisation is certified. However, there are some scenarios where you will need to go for a ‘Whole Organisation excluding…’ certificate, such as if you are using networks outside of the UK.
Can BYOD mobile phones be excluded from your Cyber Essentials scope?
Mobile phones are in scope for Cyber Essentials if they are being used to access company data or networks, which includes emails and instant messaging. It also includes mobile phones that rely on Wi-Fi which has not been segregated from the rest of the network as a ‘guest’ type. However, if the Wi-Fi the phones use has been segregated, and/or if the phones are only being used for phone calls, SMS or as an authenticating device for multi-factor authentication (MFA), they will not be in scope.
What are the Cyber Essentials requirements around patch management?
To certify to CE or CE+ you will need to ensure all software on your devices is licensed and supported, removed from the devices when no longer supported, and patched within 14 days of the vendor releasing an update when they have categorised the vulnerability as ‘critical’ or ‘high risk’.
What are the Cyber Essentials requirements around end-of-life software?
As mentioned above, you are required to only use licensed and supported software for CE certification, meaning that the use of any end-of-life (EOL) software will result in an automatic fail. For examples of EOL software which we occasionally still see organisations use, see our blog on Common Cyber Essentials Mistakes and How to Avoid Them.
There are certain, specific situations where you may be able to continue using EOL software. If the vendor has confirmed that they will provide updates for all vulnerabilities which are categorised as ‘critical’ or ‘high risk’, this would be compliant with CE, although you would need to check with your cyber insurance provider if this is acceptable. However, in almost all cases, EOL software is not compliant with CE.
How do you meet the password requirements for Cyber Essentials?
The Scheme has a number of requirements for how certifying organisations can use passwords. You will need to implement a password policy that informs users how to ensure they aren’t choosing a password that is easy to guess or too common (which could be enforced with technical measures, such as a password deny list), and not to use the same password across different accounts. Users should also understand how to securely record and store passwords, and which passwords must be memorised and not recorded.
Meanwhile, when relying on password-based authentication for internet-facing services, you must only allow passwords which are 8 characters or more, with no maximum password length. If using passwords which are shorter than 12 characters, you must either use MFA (which is compulsory for cloud accounts, regardless of password length) and/or automated deny lists. You will also need to implement measures which can protect against brute-force attacks (attempting to gain unauthorised access to a system by guessing a username and password). This can be achieved by locking accounts after no more than 10 failed login attempts, and/or by limiting users to no more than 10 guesses within a 5 minute timeframe. Finally, if you believe or know that your environment has been compromised, you must promptly change passwords.
What does Cyber Essentials Plus certification involve?
While the requirements for CE and CE+ are the same, to achieve CE+ certification your organisation’s compliance with the Scheme will need to be verified by an independent third party. There are 4 stages involved in this process, all of which can be performed remotely.
In the first stage, you will need to undergo an external vulnerability scan. This scan will look for potential vulnerabilities on devices like firewalls, routers, servers, i.e. external-facing devices. Following this, your assessor will conduct an internal authenticated vulnerability scan, in which they will take a sample of your organisation’s devices and connect a vulnerability scanner to the internal network, looking for vulnerabilities in the system. The number of devices your assessor needs to look at, and therefore the amount of time this and the subsequent stages take, will depend on the uniformity of your IT estate. They need to scan a sample of every operating system (OS) your organsiation uses, so, if you are running on a mix of different OS’, this will necessarily increase the sample size that your assessor needs to look at.
For the third stage, your assessor will send 3 emails to your organisation (again using the samples devices); one with a link, another with a notepad document and the third with an European Institute for Computer Antivirus Reach (EICAR) file. EICAR files contain malicious signatures, but aren’t actually malicious, and are designed to test the effectiveness of devices’ antivirus programs. Finally, your assessor will attempt to download malicious files, macros, and run remote scripts onto the sampled devices, all of which should be blocked by your OS or the anti-malware software you have installed on the devices.
Do you need to be completely clear of vulnerabilities to achieve Cyber Essentials Plus certification?
If the only vulnerabilities present when your organisation is assessed can be resolved with a configuration change, or if there is, at the time of assessment, no patch available to fix them, this is compliant and will not prevent you from achieving CE+ certification. However, if you have patchable vulnerabilities, or vulnerabilities which have a common vulnerability scoring system (CVSS) of 7 or more, this will result in a fail.
How can we Help?
If your organisation would benefit from help meeting the Cyber Essentials requirements, URM is ideally placed to assist you. As an accredited certification body for Cyber Essentials, we have conducted hundreds of successful Cyber Essentials and Cyber Essentials Plus assessments, and, as such, possess a comprehensive understanding of the requirements and how organisations can meet them. Meanwhile, as an Assured Service Provider under the NCSC’s Cyber Advisor (Cyber Essentials) scheme, we are able to offer both Cyber Essentials compliance and general security advice which is aligned with the NCSC’s rigorous standards.