NCSC Cyber Essentials overhaul takes effect

Screenshot of the NCSC website homepage in a browser
(Image credit: Shutterstock)

The National Cyber Security Centre's (NCSC) planned changes to its Cyber Essentials scheme come into effect today with amendments to the certification's scope reflecting a different world of work compared to when it was first introduced.

First announced in November 2021, the latest overhaul of Cyber Essential's technical controls is the biggest set of changes the NCSC has made since the scheme's debut in 2014.

Cloud services, home working, and identity and access management have all seen numerous changes over the past eight years that have re-shaped the world of work for most UK businesses, and the new changes reflect these specifically.

The main change on the cloud services side is the NCSC's implementation of a shared responsibility model that clearly defines the security obligations of both business and cloud provider. The main takeaway from this stage is that businesses will now be expected to take a more proactive role in ensuring their cloud provider is implementing services properly and securely.

The idea of home working was viewed as an exceptional circumstance by the NCSC when Cyber Essentials was first launched in 2014 but is far more normal now due to the pandemic.

Routers issued by internet service providers (ISPs), and ensuring they're securely set up, has been taken out of the certification's scope because the NCSC believes it's not feasible for businesses to expect employees to correctly set up their routers, even if there was guidance on how to do so from the employer. Instead, a stronger focus will be placed on firewall controls being applied to all end-user devices.


The secure cloud configuration imperative

The central role of cloud security posture management


With the rise of multi-factor authentication (MFA) being more readily available and free in most cases, the NCSC has added guidance on how to choose the right additional factor for any given organisation and the password requirement of the certification has been updated in line with current guidance, and with reference to the NCSC's 'three random words' advice.

The pricing structure for certification is also changing for larger businesses, while small and micro companies will pay the same £300 + VAT for the base-level Cyber Essentials certification and £500 + VAT for Cyber Essentials Plus. The largest companies - those with 250 employees or more - will pay £500 + VAT for Cyber Essentials but have to apply for a bespoke quote for Cyber Essentials Plus.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.