The Cyber Essentials scheme’s five basic security controls aim to provide organisations with a baseline of security. However, the technology landscape has shifted significantly since the scheme’s inception over a decade ago. This is why the scheme is updated each year.
This year’s updates take effect from 27 April, when new Cyber Essentials certifications will be assessed according to version 3.3 of the NCSC Requirements for IT Infrastructure and must use the new Danzell Question Set.
Partial scoping now needs stronger evidence
Partial scoping is still allowed if you don’t want to include your whole organisation in your certification. However, you need to justify why it is partial and show that anything you have excluded from the scope is separated from the rest of your network. This will typically mean a defined subset, segregated using a firewall or VLAN.
From a security point of view, this is a sensible change: many attacks move laterally from one weakly managed area into other systems. The scheme now effectively requires organisations to prove that boundaries exist and are maintained.
The practical impact is that you need to know what networks exist, what devices sit on them, where users work, how remote access is handled and which systems are connected to the Internet.
That matters because, for many organisations, the systems most relied on from day to day sit in the Cloud and are accessible from anywhere.
“Cloud services cannot be excluded from scope”
Recognising that many organisations now do much of their work using Cloud platforms such as Microsoft 365, Google Workspace, and CRM (customer relationship management) and SaaS (software as a service) tools, the scheme is now explicit that if your organisation’s data or services are hosted on Cloud services, those services can’t be excluded from your certification.
In practical terms, this closes a common gap between how organisations operate and what they choose to assess. Once Cloud services are in scope by default, access controls become central, because Cloud risk is largely driven by how accounts are authenticated and managed.
MFA is no longer merely expected
IASME has also flagged a marking change to the Danzell Question Set: where Cloud services have MFA (multifactor authentication) available but you don’t implement it, this will result in an automatic failure.
This includes cases where MFA is built in, available as a paid add-on or provided via integration with another service.
Once Cloud services are non-excludable, weak identity controls become impossible to hide behind a narrow scope statement. If your staff access business data via SaaS platforms, you will be expected to demonstrate that MFA is enforced on them for both administrators and users, with very limited exceptions.
For most organisations, the work is in making sure MFA is consistently enforced across all Cloud services, including the tools that sit outside central IT ownership.
What to do now
If you are certifying for the first time, treat v3.3 as a “Cloud and identity” project as much as a network hygiene project. Start by building a Cloud service inventory and identify which services store or process organisational data. Then confirm how access is controlled – particularly administrator access – and enforce MFA consistently.
If you are renewing, focus on what’s changed, not what you did last year. Your previous scope statement may no longer match the scheme’s expectations if you have increased Cloud adoption. Confirm your current devices, networks, remote working model and Cloud services, then test your ability to answer the new scoping questions cleanly and consistently.
How we can help you
Cyber Essentials certification lasts 12 months, so the practical question to ask yourself is when to absorb them into your compliance cycle. Whether you’re certifying before or after this year’s changes take effect, we have everything you need:
- We’re one of the founding Cyber Essentials certification bodies and one of the largest in the UK, having issued more than 12,000 certificates to date.
- Our Cyber Essentials services have received a ‘World-Class’ NPS (Net Promoter Score) of +100.
- With a large team focused on Cyber Essentials, we offer same-day turnaround on your certificates.
- We have a 98% customer success rate.
- We offer everything you need to get Cyber Essentials certification, such as documentation, scanning and assessments.
- One-to-one support included as standard in all our packages.
- End-to-end support – we deliver all the technical tests and assessments ourselves, conducted by our experienced technical testers.
- Tailored solutions – our unique fixed-price bundles provide expert support and compliance tools at affordable rates.
- Credentials – our consultants are qualified cyber security practitioners.
- Unrivalled expertise – we have the knowledge and insight to help you take the next steps beyond Cyber Essentials.
