Cyber Essentials January 2022 Evendine Changes – What’s new?

Keyboard
Cyber Essentials Evendine will replace Beacon

On January 24th 2022, some of the technical control requirements will change in line with recommended security updates. The new version is named Evendine and replaces the previous version, Beacon.

Am I affected?

If you’re already certified for Cyber Essentials, and not currently in the process of recertifying, your existing certification will be unaffected.

If you’re currently in the process of certifying with Evolve North or Cyber Toolkit, we’ll let you know which question set you need to complete; some of our customers will remain on the old question set as their application with IASME may have been created prior to the 24th of January, everyone else will be certified against the new question set, provided they complete within a grace period (to be announced).

If you’re certifying with another organisation, you’ll need to contact your certifying body to find out if you’re affected.

What are the key changes?

  1. All cloud services are now in scope. This means if an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented. This includes IaaS, SaaS and PaaS.
  2. Multi-factor authentication must be used for access to cloud services. This no longer applies only to administrator accounts, but now extends to all users.
  3. Password controls have changed:
    1. A minimum password or pin length of 6 characters, or biometrics must be used to unlock a device.
    2. When using passwords, one of the following proections should be in place:
      • Multi-factor authentication
      • Throttling unsuccessful or guessed attempts
      • Account lockout after no more than 10 unsuccessful attempts
    3. Technical controls used to manage the quality of passwords must include one of the following:
      • Multi-factor authentication used in conjunction with a password of at least 8 characters
      • A minimum password length of at least 12 characters
      • Use of automatic blocking of common passwords using a deny list with a password of at least 8 characters
  4. Any smart phone or tablet connecting to organisational data or services is in scope.
  5. Home working devices are in scope, but most home routers are not. Anyone working from home for any amount of time is classified as a ‘home worker’. If the home worker uses an ISP supplied device (e.g. a BT Smart Hub) then these devices are now out of scope and boundary is the user device firewall. If an organisation provides a router or hardware firewall to its users for home use, then Cyber Essentials controls must still be applied to it.
  6. Account separation has been expanded. The use of separate accounts to perform administrative activities only is now enforced.
  7. Thin clients are in scope.
  8. All servers, including virtual servers are in scope.
  9. The scope of an organisation’s application must include end-user devices

More Information

You can read detailed information on each change and the rationale for the change on IASME’s Cyber Blog. If you have any questions about the new questions, feel free to contact us.