What are the 2023 changes to Cyber Essentials?

changes to Cyber Essentials

April 2023 is set to see more changes to the Cyber Essentials question set. Here’s everything you need to know and what it means for your business.

What’s happening? 

On 23rd January 2023, the NCSC published an updated set of requirements, version 3.1 for the Cyber Essentials scheme. These changes called the ‘Montpellier question set’, come into force on 24th April 2023 and will replace last year’s Evendine question set.

What are the changes?

1. The definition of ‘software’ has been updated to clarify where firmware is in scope.

2. Asset management is now included as a highly recommended core security function.

3. A link to the NCSC’s BYOD guidance is now included to help businesses better manage their devices.

4. Clarification on including third-party devices – all devices that your organisation owns that are loaned to a third party must now be included.

5. The ‘Device unlocking’ section has been updated to reflect that some vendors have restrictions on device configuration. If that’s the case, the recommendation is to use the vendor’s default settings.

6. The ‘Malware Protection’ section has been updated. You must make sure that malware protection is active on all devices in scope. All anti-malware software has to:

  • Be updated in line with vendor recommendations
  • Prevent malware from running
  • Prevent the execution of malicious code
  • Prevent connections to malicious websites over the internet

And, only approved applications, restricted by code signing, are allowed to execute on devices. You must:

  • Actively approve such applications before deploying them to devices
  • Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature
  1. New information has been added about how Cyber Essentials affects businesses using zero trust architecture. In short, this should be affected by the Cyber Essentials controls.
  2. The illustrative specification document for Cyber Essentials Plus has been updated. The changes to the malware section affect how an auditor carries out a Cyber Essentials Plus assessment and this will be discussed with customers when they book.
  3. Several style and language changes have been made and questions reworded to make the process simpler and easier to understand.
  4. The technical controls have been reordered to align with the self-assessment question set.

What does this mean for your business?

It’s relatively simple.

Any Cyber Essentials assessment that begins before 24th April 2023, will continue to use the current requirements. Meanwhile, any assessment that begins after 24th April will be assessed using the new Montpelier requirements.

The changes aren’t complicated and shouldn’t impact your ability to achieve certification or the time it takes to complete it. However, if you do have any questions, please get in touch and one of our team will be happy to talk you through it. 

Unsure whether certification is right for your business? Check out our guide to cybersecurity certifications in the UK.

Cybersecurity certifications