IASME is bringing in a new question set and marking scheme for 2022. These changes will affect both Cyber Essentials and Cyber Essentials PLUS. If you begin an assessment on or after 24th January 2022, it will be marked against the Evendine scheme. Existing Beacon assessments will not be affected, and you will still be allowed to complete Cyber Essentials under the 2021 Beacon scheme if the assessment was started before 24th January 2022. As always, IASME allows 6 months from the commencement of an assessment to submit your answers, whether marked under Beacon or Evendine.
The advice in this blog post is based on the guidance IASME has released so far and will be updated if and when any new information is provided.
Beacon (2021) Evendine (2022)
|Scope Definition||A device is in scope if it has access to both the Internet and company data||A device is in scope if it meets at least one of the following conditions:
– It can accept incoming network connections from untrusted Internet-connected hosts
– It can establish user-initiated outbound connections to devices via the Internet
– It controls the flow of data between any of the above devices and the Internet
All applications must now include the number of End-User devices in the scope. Scopes such as Azure-only, or DMZ-only are no longer acceptable and will not achieve compliance.
|De-scoping devices||Permissible to de-scope devices by using firewall rules to block Internet traffic to and from one or more devices||Individual firewall rules are no longer an acceptable method to de-scope devices.
Sub-sets (defined as a part of the organization whose network is segregated from the rest of the org by a firewall or VLAN) are used to determine scope.
If one device in a sub-set is in scope, all devices in that sub-set will also be included in the scope.
Devices which an applicant would like to de-scope must be placed in a separate subset, i.e. in a segregated VLAN or behind a dedicated firewall.
|Thin Clients||Not required to be in scope||1 YEAR GRACE PERIOD:
From Jan 2022 – Jan 2023: in scope, but questions are informational only. This will not cause an application to fail if insecurely configured.
From Jan 2023 onwards: in scope, must be supported and receiving security updates
|Cloud Services||Left up to the applicant to decide whether in scope||Always included in the scope: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)|
|Unsupported Software||Unsupported software causes a major non-compliance, which increases the likelihood of an overall fail if other areas of the scope are also non-compliant||1 YEAR GRACE PERIOD:
From Jan 2022 – Jan 2023: unsupported software will attract two major non-compliances, which means the rest of the scope must be compliant to avoid a Fail.
From Jan 2023: Unsupported software found on an in-scope device will cause an automatic fail.
|Home workers||Networks controlled by home workers (e.g. home broadband and associated routers) were originally in-scope. This involved configuration checks such as ensuring all home-workers had changed their default home router password||Home-workers’ personal home networks are now explicitly excluded from the scope. This is due to potential legal concerns under GDPR, as details of ISP-provided home routers can be considered personally Identifying Information (PII). Corporate-provided routers are in-scope.
Home workers’ devices (i.e. workstations and mobile devices) are still in scope.
Home workers will rely on either their software firewalls on their corporate device(s), or the use of a corporate VPN.
|Device Locking||N/A||This is a new section: device locking is now included with in secure configuration control.
Acceptable locks for a device are PINs, biometrics, and passwords. If this lock is solely used to unlock the device, the minimum length of PIN or password is 6 digits or characters, respectively.
When the credentials are used elsewhere (e.g. a Windows SSO password), the full password requirements must be applied – see “Password Requirements” section below.
|Password Requirements||Passwords must be 8 characters long and difficult to guess||Accounts must be protected against brute-forcing with one or more of the following:
– Multi-factor authentication
– Account lockout
– Login Throttling
The minimum password length is 8 characters if one or both of the following apply:
– MFA (Multi Factor Authentication) is used
– Common passwords are disallowed
If neither of the above solutions is in place, the minimum password length is 12 characters
|Bring-Your-Own-Device (BYOD) Mobile Devices||A BYOD device is not in scope if it is used solely for native voice (i.e. telephone) applications, text (i.e. SMS) applications, MFA applications, or a combination of these. Use of non-native telephone or SMS apps, such as WhatsApp, for business use will bring the BYOD device back into scope.|
|Security Update Management||All in-scope software must be:
– removed from devices when they become unsupported OR the device removed from scope by using a defined subset that prevents all traffic to and from the Internet
– have automatic updates enabled where possible
– critical updates must be applied within 14 days
Firmware will also be expected to be up to date as well
|Backups||N/A||This is a new section intended to encourage good practice or highlight areas where backup procedures could be added or improved. The questions are informational only, and your answers will not cause you to fail the assessment, although this may change in future questions sets.|
Main Changes to Expect – Cyber Essentials PLUS
Your CE+ assessor will now need to conduct two additional tests. These are:
- Confirming the separation between user and admin accounts
- Confirming that MFA is applied to cloud services:
- Until January 2023, this test will be applied only to admin accounts on cloud services
- After January 2023, this will be applied to all accounts (user and admin) on cloud services
- IASME strongly recommend that the grace period of one year be used to roll out MFA to all user accounts
Please be aware that the Pass criteria for the Patch Audit will also be changing. From 24th January 2022, any missing patches with a CVSSv3 of 7.0 or above will cause an automatic failure. Previously, mitigating circumstances for missing patches were considered, however these will no longer be allowed with the new CE+ process.
Cyber Essentials Basic Changes
- Stricter guidelines for:
- Scope definition and how to de-scope devices
- Cloud services and thin clients are now required to be in scope
- Which network equipment for homeworkers can be included from the scope
- Password Requirements
- Bring-Your-Own-Device Mobile Devices
- IASME allowing a grace period before cracking down on:
- Multi-factor authentication for all user accounts on cloud services (12-month grace period to allow configuration)
- Unsupported software will increase the likelihood of an overall fail for 12 months after the initial question set release, then cause an automatic fail after that
- Thin clients – after 12 months from release of the question set, thin clients must be supported and receiving security updates
- New sections:
- Backups (informational questions only, will not cause a fail)
- Device locking
Cyber Essentials PLUS
- Two new tests:
- Confirming the separation between user and admin accounts
- Confirming that MFA is applied to cloud services
- Patch Audit applying stricter guidelines to what constitutes a Fail