Keep up to date with the experts

Get insights direct to your email inbox

Subscription Form exit intent popup

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager

Simon Darley

Trusted by industry leaders

Request a Quote.

First we need a few details.

Contact Form Primary popup

By continuing, you agree to our Terms & Privacy Policy

Cyber Essentials 2023 update

In a nutshell:
Upcoming cyber essentials changes come into play on 24th April 2023. Want to know more? Keep reading.
These changes come as part of a regular review of the scheme’s technical controls.

This month, the NCSC and its Cyber Essentials delivery partner IASME will update the technical requirements for the 2023 Cyber Essentials scheme. These changes come as part of a regular review of the scheme’s technical controls, ensuring that it continues to help UK organisations guard against the most common cyber threats.

Changes come into play on 24th April 2023, and as stated on their website, these modifications will cover a variety of key areas:

User devices. With the exception of network devices (such as firewalls and routers), all user devices declared within the scope of the certification only require the make and operating system to be listed. We have removed the requirement for the applicant to list the model of the device. This change will be reflected in the self-assessment question set, rather than the requirements document.

Clarification on firmware. All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware.

Third party devices. More information and a new table that clarify how third-party devices, such as contractor or student devices, should be treated in your application.

Device unlocking. We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it’s now acceptable for applicants to use those default settings.

Malware protection. Anti-malware software will no longer need to be signature based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option.

New guidance on zero trust architecture for achieving CE and a note on the importance of asset management.

Style and language. Several language and format changes have been made to make the document easier to read.

Structure updated. The technical controls have been reordered to align with the updated self-assessment question set.

CE+ testing. The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors.

The updated version of cyber essentials will take effect from 24 April 2023, which means all applications started on or after this date will use the new requirements and question set.

As such, for those that need to recertify within the next 6 months and would like to recertify to the current requirements using the current question set, you need to apply for an assessment account before 24th April 2023.  You will then have 6 months from that date to pass the assessment.  Any assessment account created before 24th April 2023 will not change to the new version of requirements or question set.

For those that would like further information about the question sets before April 24th and how they differ, you can download both current and revised requirements and the associated assessment questions here.

Further guidance:

For those that are interested in understanding more about these upcoming changes, Cyber Essentials will be holding a Teams webinar at 10:30am on Friday 28th April 2023 where their Cyber Essentials Manager will go through the changes to the requirements.

You can sign up here.

If you would like further information about the Cyber Essentials certifications and how it can help improve the security of your organisation, please get in touch today.

Our latest insights

  • Cyber security threats

    Top 5 Most Dangerous Cyber Security Threats, SANS Reveals

    May 22, 2023
    Read full article
  • digital UK security

    Key findings: UK Cyber Security breaches Survey 2023

    May 9, 2023
    Read full article
  • What is Microsoft Security Copilot?

    April 21, 2023
    Read full article
  • The Dangers of Chatbots

    April 19, 2023
    Read full article
  • cyber essentials

    Cyber Essentials 2023 update

    April 21, 2023
    Read full article
  • Microsoft announces Co-pilot: The productivity game changer

    March 28, 2023
    Read full article
  • ibm x-force threat intelligence index Breakdown

    March 3, 2023
    Read full article
  • Microsoft Partner Pledge

    March 2, 2023
    Read full article
  • Microsoft price increase image of keyboard

    Microsoft April 2023 Price Increase

    February 15, 2023
    Read full article
  • Chat GPT

    Chat GPT - What's the hype?

    February 3, 2023
    Read full article
  • 12 Tips for a Cyber Safe Christmas

    February 28, 2023
    Read full article
  • The importance of back up and DR

    January 22, 2023
    Read full article