Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Cyber Security

Cyber Essentials Evendine Question Set

Cyber Essentials Evendine Question Set
Written by

Phoebe McEwen

Published on

20 Jan 2022

Cyber Essentials Evendine Question Set


IASME is bringing in a new question set and marking scheme for 2022. These changes will affect both Cyber Essentials and Cyber Essentials PLUS. If you begin an assessment on or after 24th January 2022, it will be marked against the Evendine scheme. Existing Beacon assessments will not be affected, and you will still be allowed to complete Cyber Essentials under the 2021 Beacon scheme if the assessment was started before 24th January 2022. As always, IASME allows 6 months from the commencement of an assessment to submit your answers, whether marked under Beacon or Evendine.

The advice in this blog post is based on the guidance IASME has released so far and will be updated if and when any new information is provided.


                                                                                                                         Beacon (2021)                                                                  Evendine (2022)

Scope Definition A device is in scope if it has access to both the Internet and company data A device is in scope if it meets at least one of the following conditions:


–          It can accept incoming network connections from untrusted Internet-connected hosts

–          It can establish user-initiated outbound connections to devices via the Internet

–          It controls the flow of data between any of the above devices and the Internet

All applications must now include the number of End-User devices in the scope. Scopes such as Azure-only, or DMZ-only are no longer acceptable and will not achieve compliance.

De-scoping devices Permissible to de-scope devices by using firewall rules to block Internet traffic to and from one or more devices Individual firewall rules are no longer an acceptable method to de-scope devices.


Sub-sets (defined as a part of the organization whose network is segregated from the rest of the org by a firewall or VLAN) are used to determine scope.

If one device in a sub-set is in scope, all devices in that sub-set will also be included in the scope.

Devices which an applicant would like to de-scope must be placed in a separate subset, i.e. in a segregated VLAN or behind a dedicated firewall.

Thin Clients Not required to be in scope 1 YEAR GRACE PERIOD:


From Jan 2022 – Jan 2023: in scope, but questions are informational only. This will not cause an application to fail if insecurely configured.

From Jan 2023 onwards: in scope, must be supported and receiving security updates

Cloud Services Left up to the applicant to decide whether in scope Always included in the scope: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)
Unsupported Software Unsupported software causes a major non-compliance, which increases the likelihood of an overall fail if other areas of the scope are also non-compliant 1 YEAR GRACE PERIOD:


From Jan 2022 – Jan 2023: unsupported software will attract two major non-compliances, which means the rest of the scope must be compliant to avoid a Fail.

From Jan 2023: Unsupported software found on an in-scope device will cause an automatic fail.

Home workers Networks controlled by home workers (e.g. home broadband and associated routers) were originally in-scope. This involved configuration checks such as ensuring all home-workers had changed their default home router password Home-workers’ personal home networks are now explicitly excluded from the scope. This is due to potential legal concerns under GDPR, as details of ISP-provided home routers can be considered personally Identifying Information (PII). Corporate-provided routers are in-scope.


Home workers’ devices (i.e. workstations and mobile devices) are still in scope.

Home workers will rely on either their software firewalls on their corporate device(s), or the use of a corporate VPN.

Device Locking N/A This is a new section: device locking is now included with in secure configuration control.


Acceptable locks for a device are PINs, biometrics, and passwords. If this lock is solely used to unlock the device, the minimum length of PIN or password is 6 digits or characters, respectively.

When the credentials are used elsewhere (e.g. a Windows SSO password), the full password requirements must be applied – see “Password Requirements” section below.

Password Requirements Passwords must be 8 characters long and difficult to guess Accounts must be protected against brute-forcing with one or more of the following:


–          Multi-factor authentication

–          Account lockout

–          Login Throttling

The minimum password length is 8 characters if one or both of the following apply:

–          MFA (Multi Factor Authentication) is used

–          Common passwords are disallowed

If neither of the above solutions is in place, the minimum password length is 12 characters

Bring-Your-Own-Device (BYOD) Mobile Devices   A BYOD device is not in scope if it is used solely for native voice (i.e. telephone) applications, text (i.e. SMS) applications, MFA applications, or a combination of these. Use of non-native telephone or SMS apps, such as WhatsApp, for business use will bring the BYOD device back into scope.
Security Update Management   All in-scope software must be:


– licensed

– supported

– removed from devices when they become unsupported OR the device removed from scope by using a defined subset that prevents all traffic to and from the Internet

– have automatic updates enabled where possible

– critical updates must be applied within 14 days

Firmware will also be expected to be up to date as well

Backups N/A This is a new section intended to encourage good practice or highlight areas where backup procedures could be added or improved. The questions are informational only, and your answers will not cause you to fail the assessment, although this may change in future questions sets.


Main Changes to Expect – Cyber Essentials PLUS

Your CE+ assessor will now need to conduct two additional tests. These are:

  • Confirming the separation between user and admin accounts
  • Confirming that MFA is applied to cloud services:
    • Until January 2023, this test will be applied only to admin accounts on cloud services
    • After January 2023, this will be applied to all accounts (user and admin) on cloud services
    • IASME strongly recommend that the grace period of one year be used to roll out MFA to all user accounts

Please be aware that the Pass criteria for the Patch Audit will also be changing. From 24th January 2022, any missing patches with a CVSSv3 of 7.0 or above will cause an automatic failure. Previously, mitigating circumstances for missing patches were considered, however these will no longer be allowed with the new CE+ process.


Cyber Essentials Basic Changes

  • Stricter guidelines for:
    • Scope definition and how to de-scope devices
    • Cloud services and thin clients are now required to be in scope
    • Which network equipment for homeworkers can be included from the scope
    • Password Requirements
    • Bring-Your-Own-Device Mobile Devices
  • IASME allowing a grace period before cracking down on:
    • Multi-factor authentication for all user accounts on cloud services (12-month grace period to allow configuration)
    • Unsupported software will increase the likelihood of an overall fail for 12 months after the initial question set release, then cause an automatic fail after that
    • Thin clients – after 12 months from release of the question set, thin clients must be supported and receiving security updates
  • New sections:
    • Backups (informational questions only, will not cause a fail)
    • Device locking

Cyber Essentials PLUS

  • Two new tests:
    • Confirming the separation between user and admin accounts
    • Confirming that MFA is applied to cloud services
  • Patch Audit applying stricter guidelines to what constitutes a Fail