Monday, May 20, 2024

UK NCSC updates Cyber Essentials technical controls requirements and pricing structure

Technical controls update includes revisions surrounding the use of cloud services, multi-factor authentication, and password management. A new pricing structure better reflects organisational size and complexity.

UK NCSC Updates It’s Cyber Security Essentials Technical Controls Requirements And Pricing

Technical controls update reflects modern cybersecurity landscape

NCSC said that the refresh of the technical control reflects the impact of digital transformation, adoption of cloud services, and move to home/hybrid working on current working and cybersecurity norms. The update includes revisions surrounding the use of cloud services, multi-factor authentication (MFA), and password management. Changes have been implemented with input from NCSC technical experts and are based on feedback from assessors and applicants, along with consultation with the Cloud Industry Forum.

The new version of the Cyber Essentials technical requirements will officially release on January 24, 2022. All Cyber Essentials applications starting on or after this date will use the updated version, although the NCSC stated there will be a grace period of up to 12 months for some of the requirements. Any assessments already underway, or that begin before that date, will continue to use the current technical standard, meaning that in-progress certifications will not be affected.

Speaking to CSO, Cyber Essentials certification provider Richard Andreae says the new revisions are much needed and will help businesses better secure organisational data. “The biggest changes to the requirements are the inclusion of cloud services; this is well overdue as most businesses today use these services and now, they are required to make sure that these services are as secure as those of their in-house systems,” he says.

Recommended:  Royal Mail customer data leak shutters online Click and Drop

A lot of the questions have been tweaked to remove ambiguity, and with this, the marking will become tougher, Andreae adds. “Any organisation applying for certification after January 24 will be expected to have a better understanding of the security they have available in their cloud services, in particular the use of MFA. This could impact businesses in a big way, as having to implement MFA for all cloud services could be time consuming and disruptive. Another potentially costly and disruptive change is the inclusion of thin clients to the scope. If an organisation is using thin clients on unsupported operating systems, then these will need to be updated.”


New pricing structure adopts internationally recognised definition for enterprise size

Along with the technical control’s update, the NCSC is implementing a new pricing structure, which also launches on January 24. This structure adopts the internationally recognised definition for micro, small, medium and large enterprises. Currently, all assessments are charged at £300. However, while the price will remain £300 plus VAT for micro organisations (up to nine employees), small (10 to 49 employees), medium (50 to 249 employees), and large organisations (more than 250 employees) will be required to pay more – £400, £450, and £500 (all plus VAT), respectively.

Commenting on the pricing restructure, NCSC’s head of commercial assurance services Anne W, said: “This price change reflects the increasing levels of rigour that go into every assessment. While Cyber Essentials is designed to help any organisation attain a minimum level of cybersecurity, the assessment process can be quite complex. We want to continue to ensure this important scheme remains accessible to every business, no matter their size.”

Recommended:  16M COVID-19 Patients’ Records Exposed Online via Brazil’s Health Ministry

Enjoyed this article? Read more cybersecurity news here

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates