January 24th 2022 Update
Some of the technical control requirements will change in line with recommended security updates. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security.
Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational information, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.
Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls are now transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope and must have the Cyber Essentials controls applied to it.
The use of a corporate (single tunnel) Virtual Private Network (VPN) transfers the boundary to the corporate firewall or virtual cloud firewall.
If an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user implements the control, depends on the type of cloud service.
As well as providing extra protection for passwords that are not protected by other technical controls, multi-factor authentication should always be used to provide additional protection to administrator accounts when connecting to cloud services.
The password element of the multi-factor authentication approach must have a password length of at least 8 characters with no maximum length restrictions.
A thin client is a ‘dumb terminal’ that gives you access to a remote desktop. It doesn’t hold much data, but it can connect to the internet.
Servers are specific devices that provide organisational data or services to other devices as part of the business of the applicant.
However, mobile or remote devices used only for voice calls, text messages or multi-factor authentication applications are out of scope.
Biometrics or a minimum password or pin length of 6 characters must be used to unlock a device.
When using passwords, one of the following protections should be used to protect against brute-force password guessing:
Technical controls are used to manage the quality of passwords. This will include one of the following: