Cyber Essentials April 2021 Question Changes – What’s new?

On the 26th of April 2021, IASME released an update to its Cyber Essentials self-assessment questionnaire. We’ve summarised the changes below.

Am I affected?

If you’re already certified for Cyber Essentials, and not currently in the process of recertifying, your existing certification will be unaffected.

If you’re currently in the process of certifying with Cyber Toolkit, we’ll let you know which question set you need to complete, some of our customers will remain on the old question set as their application with IASME was created prior to the 26th of April, everyone else will be certified against the new question set.

If you’re certifying with another organisation, you’ll need to contact your certifying body to find out if you’re affected.

What are the changes?

  1. There are new definitions for a corporate VPN, organisational data and organisational services:

    • Corporate VPN is a VPN solution that connects back to the applicant’s office location or to a virtual/cloud firewall. This must be administered by the applicant organisation so that the firewall controls can be applied.

    • Organisational data includes any electronic data belonging to the applicant organisation. For example, emails, office documents, database data, financial data.

    • Organisational services include any software applications, Cloud applications, Cloud services, User Interactive desktops and Mobile Device management solutions owned or subscribed to by the applicant organisation. For example, Web applications, Microsoft 365, Google Workspace, MDM Containers, Citrix Desktop, VDI solutions, RDP desktop.

  2. The Bring Your Own Device (BYOD) requirement has been clarified. User-owned devices which access organisational data or services are in scope of Cyber Essentials (native voice and SMS text applications are out of scope alongside multi-factor authentication usage).
  3. Clarification has been given on when and where software firewalls are acceptable as the internet boundary. A host-based firewall must be configured where an organisation does not control the network that a device is connected to. Boundary firewalls must be configured on any network that the organisation controls.
  4. “Patch Management” has been re-termed as “Security Update Management”, this is to emphasise that the objective is on applying update packages, rather than individual patches.
  5. Applicants must now ensure that:
    • Software has automatic updates enabled where possible
    • Updates are performed within 14 days of an update being released where:
      • the update fixes a ‘critical’ or ‘high risk’ vulnerability
      • there are no details of the vulnerability severity level the update fixes provided by the vendor

    It is also strongly recommended that all released updates be applied within 14 days.

  6. User access control has been expanded to include third-party accounts that have access to the certifying organisation’s data and services. For example, an IT support company which connects to your organisation should comply with all of your user access controls – including having named, individual accounts and not using a shared account for that organisation.

More Information

You can read detailed information on each change and the rationale for the change on IASME’s Cyber Blog. If you have any questions about the new questions, feel free to contact us.