Cyber Essentials has changed!

The NCSC and Government approved Cyber Essentials scheme provided by IASME has recently changed and the new ‘Montpellier’ version 3.1 is now in effect. This includes five technical controls that help protect organisations from most common cyber-attacks. The Cyber Essentials certification signals to customers, investors, and those in the supply chain that your organisation has put the Government approved minimum level of cyber security in place, reinforcing trust.

Earlier in the year, the NCSC published an updated set of requirements, version 3.1 for the Cyber Essentials, and this came into force on the 24th of April 2023, meaning that any assessments commenced before 24th April will continue to use version 3.0 (Evendine) question set. This includes any assessment accounts created before 24th April. Note: The IASME versions of the Standard are named after Malvern area spring waters.

The ‘Montpellier’ questions are a new and updated from the (now) older ‘Evendine’ question set. It seeks to improve existing questions with an additional focus on the changes to business operations which includes home working, antivirus solutions, firewall and user controls.

The term ‘Software’ has been updated to clarify where firmware is in scope. Firmware can include routers, are key security devices, their operating systems and keeping them up to date is extremely important from a security perspective. Software includes operating systems, COTS (commercial off-the-shelf) applications, interpreters, scripts, plugins, libraries, and network software. As firewalls and routers.

Cyber Essentials requires a list of devices such as laptops, desktops, servers, computers, tablets, and mobile phones, with details of the make and operating system. Firewalls and routers only require make and model (not the specific version of the firmware).

Third-party devices that your organisation owns (including loan devices) must be included in the assessment scope. The aim is to answer the common concerns regarding contractors, consultants, volunteers, and student used devices. Students ‘owned’ devices are not in scope.
With company assets, these are not totally a Cyber Essentials control, but it is a recommended core security function that can help an organisation meet the other five Cyber Essentials controls. Having effective polices relating to company asset with clear instruction on how they are to be managed will help track and control devices. Often security incidents are caused by organisations having unknown assets which are still active connected to the network. The new inclusion of asset management emphasises the importance of this as good practice.

The applicant organisation is required to demonstrate that they can have the required controls in place, and this is through technical procedures and written policies.

The ‘Device unlocking’ section has been amended to allow some configuration where this cannot be altered because of vendor restrictions. (i.e., only default settings allowed), or where there are limited options to change the configuration to meet the Cyber Essentials requirements, for example where you cannot lock a device after 10 failed sign-in attempts and Samsung is a further example, where there is no current way to change the minimum sign-in attempts at from 15 to 10. Cyber Essentials would now accept the minimum number sign-in attempts allowed by the device before locking. You must make sure that all devices in scope have a malware protection mechanism active.

Anti-malware software must be installed to protect devices in scope and configured to be updated in line with vendor recommendations.

Only approved applications are allowed to execute on devices (this can be restricted by code signing) and actively approved before deployment is allowed. A list of approved applications should be recorded, and users must not be able to install any application that is unsigned or has an invalid signature.

The threat landscape constantly changes and is a challenge to keep ahead of the field and for some companies Certification may seem overwhelming. ADAS-LTD is an IASME approved Certification Body and here to help and support customers through the process. This new Standard question set has not only addressed these challenges but allows for us to reduce uncertainty and provide critical situational awareness while aiding in identifying probable threats and opportunities to reduce the risk of a real attack.

We believe in a personal touch and proactive approach to cyber security and our involvement in the IASME Cyber Essentials scheme helps to reinforce this.

If you would like to know more about how the scheme could benefit your organisation, or are seeking Cyber Essentials Certification or if you would just like to hear more about how we can help, please get in touch (