Cyber Essentials Montpellier Requirements
Cyber Essentials Montpellier is an updated set of requirements for Cyber Essentials, which is a government-backed scheme designed to help organisations in Wales and the rest of the UK protect against common cyber threats and demonstrate their commitment to cyber security. Montpellier is the second major release of the questionnaire since IASME became the sole NCSC delivery partner of the Cyber Essentials scheme in 2020. The updated requirements came into play on April 24, 2023, after being announced in January 2023.
For more information on the Cyber Essentials framework.
What are the changes for Cyber Essentials Wales?
The Cyber Essentials scheme has changed 9 requirements since the introduction of Cyber Essentials Montpellier. These changes are:
- Clarification over the definition of ‘Software’
Software has been defined as operating systems, applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware. Any software listed here must be supported and updated to the latest version. The use of unsupported software is not permitted unless there are mitigating controls in place.
- Asset Management is Important for Cyber Essentials Accreditation
This means as an organisation you need to establish and maintain a resource that contains accurate information about any devices within the business. Asset management is a fundamental control that can help your organisation meet the requirements for Cyber Essentials certification. Good asset management will help track and control devices as they’re introduced to your business, allowing you to quickly discover any unsupported/out-of-date assets.
- Guidance for Bring Your Own Device (BYOD)
Guidance for Bring Your Own Device (BYOD) has been released, as well as clarification on third party devices. The chart below clarifies the complicated topic of BYOD. For any devices not owned by your organisation, this table explains what should be considered in scope when accessing your organisation information.
If a device is considered in scope, you need to be able to demonstrate that any required controls are in place via technical and written policy. For example, if someone attempts to connect to your Office 365 tenancy with an out of date operating system you can have a policy in place to block this connection.
- Device Unlocking
‘Device unlocking’ has been updated to reflect that some configurations can’t be altered because of vendor restrictions. Many smartphones have built in “lock-out” timers that cannot be changed. It is acceptable that you go with the minimum number sign-in attempts allowed by the device before locking. For example, Samsung have set their minimum sign-in attempts at 15, this is not alterable. This is considered acceptable within the Cyber Essentials framework.
- Malware Protection
The ‘Malware protection’ section has been updated. In line with research and recommendations from vendors this section has been updated. Any Anti-malware software must be updated in line with vendor requirements, prevent malware from running, prevent execution of malicious code and prevent connections to malicious websites over the internet. Application Allow listing also falls under this category. Only approved applications are allowed to execute on devices. They must be approved before being deployed, and you should maintain a list of approved applications for Cyber Essentials certification.
- Zero-Trust and the effects on Cyber Essentials certification
As more businesses embrace flexible working, lots of different devices are likely to connect to your systems from many locations. More and more organisations are also sharing data with external partners/users. Zero trust architecture is an approach where inherent trust in the network is removed. Instead, the network is assumed dangerous and request is verified based on a crafted access policy. The NCSC & IASME have closely considered the alignment of Cyber Essentials with Zero trust architecture and are confident that implementing Cyber Essentials security controls does not prevent you from using the zero trust architecture as described above.
General usability changes include:
- The specification document for Cyber Essentials Plus has been updated and is now active.
- Document Readability (Style and language adjustments)
- The Cyber Essentials scheme requirements are now a consistent order; firewalls, secure configuration, security update management, user access controls, and malware protection.
For more information on each of these updates to the Cyber Essentials and Cyber Essentials Plus scheme, visit the IASME website.
Please consider that with these changes, there is likely to be an increase in the duration of the Cyber Essentials certification process.
Cyber Essentials accreditation is essential for every business to stay safe online. Protect your business, supply chain and customer data by completing the Cyber Essentials Plus certification.
If you’re looking for assistance with your Cyber Essentials, as a service or for accreditation, Excellence IT is a cybersecurity-first Managed Service Provider, and we help businesses in Wales achieve Cyber Essentials certification daily.
To contact us, submit a form below.
Writes about IT Support and Cyber Security.