The 2023 Cyber Essentials Update: What You Need to Know

November 6, 2023
  • Launched in 2014, the National Cyber Security Centre’s (NCSC) Cyber Essentials is a certification program designed to help organisations implement robust cybersecurity measures. 
  • On the 24th April 2023, the NCSC updated the scheme with a new set of requirements, version 3.1, which seek to bring the certification in line with today’s cybersecurity climate.  
  • Following big changes to the core technical controls in 2022, this year’s update isn’t as wide in scope, but it’s still important than organisations understand what’s changing – and why.
  • Introduction 
  • When it comes to running a business, it can sometimes feel like your to-do list never ends.  
  • But there are some items which you really can’t afford to skip—and cyber security is one of the biggest.  
  • With a 77% increase in UK cyberattacks in 2022, it’s no wonder organisations are looking for ways to mitigate and ideally avoid cybersecurity breaches altogether. That’s one of the reasons that the NCSC’s Cyber Essentials scheme was created—and it’s also the reason it’s been updated several times since its launch in 2014.  
  • With the latest update in April 2023, several changes have been made to bring the certification up to date with today’s cyber climate, and we’ve got everything you need to know below.  
  • What is the NSCS Cyber Essentials? 
  • As we’ve explored previously here on the Get Support blog, Cyber Essentials is a government-endorsed initiative which helps businesses safeguard themselves against the ever-growing threat of cyberattacks. Cyber Essentials offers a comprehensive framework which details the fundamental controls organisations should implement to bolster their defences. By ensuring their operations comply with the NCSC’s best practices, UK companies can become Cyber Essentials certified.  
  • The Cyber Essentials scheme was developed by the National Cyber Security Centre (NCSC) back in 2014, and the certification itself is delivered by the IASME (Information Assurance for Small and Medium Enterprises) Consortium. It’s regarded as an initial (and crucial) step towards establishing a more secure network, effectively shielding organisations from the most common forms of cyberattacks and breaches. 
  • The latest requirements, version 3.1 also known as the Montpelier question set, came into force on April 24th 2023.  
  • The April 2023 Cyber Essentials update: What’s changed? 
  • As we mentioned above, the version 3.1 of the certification wasn’t quite as extensive as previous updates, but it’s still worth knowing about it you’re even considering Cyber Essentials.  
  • Here are the key updates you need to know.  
  • The use of third-party devices 
  • It can be difficult to decide exactly which devices your employees use would fall under the remit of the Cyber Essentials certification. Company-issued devices might be a given, but what about an employee’s personal smartphones, devices belonging to students, or devices being used on a Bring Your Own Device (BYOD) basis?  
  • With the April ’23 update, the NSCS has clarified exactly which devices are ‘in scope’ (i.e. covered by the certification) and which are not. They’ve updated the guidelines with a straightforward table for quick reference.