The UK’s Cyber Essentials Scheme is Changing in 2022. Here’s How

Published
Cyber Security

Executive Summary

  • Since it launched in 2014, the UK government’s Cyber Essentials scheme hasn’t seen any significant updates – until now. In 2022, the scheme’s technical controls will see a number of changes.
  • From January 24th 2022, Cyber Essentials will include a set of updated technical controls which reflect the state of business in today’s post-pandemic digital world. Pricing for the scheme is also changing.
  • In this article, we’ll summarise the 2022 updates to the Cyber Essentials scheme, including a list of the specific technical controls which will be updated – Multi-Factor Authentication, cloud service access, home working devices, and more.

Introduction

Did you know that weekly cyber attacks on corporate networks increased by 50% between 2020 and 2021?

In the wake of the pandemic, it’s not just businesses that have switched to spending more time online – criminals have, too. That’s why it’s more important than ever for UK companies to be up to date with Cyber Essentials.

Launched in 2014, the Cyber Essentials scheme has become the go-to choice for businesses looking to understand the fundamentals of staying cyber safe. Since it hasn’t seen any updates since launch – and since so much has changed in the digital world – 2022 has been chosen as the year to make some changes.

Let’s explore what’s changing with Cyber Essentials in 2022 and what you might need to know as a UK business.  

What is Cyber Essentials?

Before we look at what’s changing, let’s cover the basics.

Cyber Essentials is a certification scheme which is backed by the UK government and managed by the National Cyber Security Centre (NCSC). It offers businesses a point-by-point explanation of the specific steps they should take to ensure they operate safely in the digital space.

The scheme is based on 5 technical controls:

  1. Boundary firewalls and internet gateways
  2. Secure configuration
  3. Access control
  4. Malware protection
  5. Patch management

We’ve already covered the scheme in detail in a two-part blog series, so you can get a complete picture by reading through these.

But if you want to know about the scheme will be changing this year, read on.

Why is Cyber Essentials changing in 2022?

Announced by the NCSC in November 2021, the changes being introduced to Cyber Essentials is about revising those core technical controls.

The rationale for the decision, in the words of the NCSC, is that “The way we work has changed dramatically over a short period of time. The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the COVID-19 pandemic, which is now routine for many people.”

So, in essence, these changes are being made because the digital world in which we work has changed radically since the scheme’s launch in 2014, with the global pandemic serving as something of a catalyst for this update.

In detail: How Cyber Essentials is changing

With the stage set for these changes, let’s now look at the details.

The main changes which will be made to the Cyber Essentials scheme after January 2022 won’t actually alter the structure of the 5 technical controls within the certification, but rather add to them. In plain English, that means that, in order to maintain compliance with Cyber Essentials, companies must ensure they abide by the updated specifications.

Here are the main additions which will be made to the scheme.

Home working devices

Within the firewall technical control, any home-based device which an employee uses to do their job will now fall within the scope of Cyber Essentials. This means that the firewall settings on any device an employee uses to work from home must comply with the Cyber Essentials guidelines to comply with the certification.

Cloud services

One of the biggest changes to Cyber Essentials in 2022 is the addition of cloud services, which have not previously been covered by the scheme. Within the new specification, a cloud service is defined as either Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). If you’re not familiar with these technologies, we’ve got you covered.

Cloud services are covered by several of the Cyber Essentials technical controls, including both user access control and secure configuration. This means it’s the responsibility of the company to ensure these services comply with Cyber Essentials specifications.

Multi-Factor Authentication

Also known as MFA, Multi-Factor Authentication is now a requirement for compliance with the Cyber Essentials scheme in 2022.

MFA offers additional protection for any user account accessing cloud-based services, making it almost a necessity in today’s online-focused world of work. 

A new approach to software updates for cyber security

Cyber Essentials certification has always required that certain high-risk vulnerability updates be applied to maintain compliance, meaning that organisations were previously able to be selective about the updates they installed (or didn’t).

With the 2022 Cyber Essentials update, this has changed. Now, all updates deemed high or critical risk must be installed to all in-scope devices within 14 days of the update being released to maintain compliance.

In addition, any software installed on in-scope devices must meet the following criteria:

  • Fully licensed and supported by the developer (e.g. Microsoft)
  • Removed from any device which is no longer in scope
  • Have automatic updates enabled
  • Have any high or critical update installed within 14 days (as above)

Updates to the pricing model

The final change which will be of interest to UK businesses is that the pricing of Cyber Essentials is moving to a tiered model. In short, the price of the certification will differ depending on which category your business falls into:

  • Micro organisations (0-9 employees) ………….…. £300 (plus VAT)
  • Small organisations (10-49 employees) …..….….. £400 (plus VAT)
  • Medium organisations (50-249 employees) ………£450 (plus VAT)
  • Large organisations (250+ employees) …………… £500 (plus VAT)

Need a cyber security partner your business can trust?

Just as it’s essential (if you’ll pardon the pun) to stay on top of the latest developments in the cyber security world, it’s also important to work with an IT support team who do the same.

At Get Support, we help our clients protect their businesses by staying in the loop on what’s happening with UK best practices around cyber defence. If you’re still operating with either a single IT person or perhaps an unreliable ‘break-fix’ solution, why not take a look at our IT support agreements?

We’d love to help your business stay safe online and in the office.

To learn more about how our IT experts could help your business make the most of your cyber security, call us today on 01865 594 000 or fill in the form below.

Latest From The Blog

Cyber Essentials is changing (again) in 2025. But there’s good news.   

Cyber Essentials is changing in 2025. Get up to speed on the key updates, including passwordless authentication and vulnerability fixes.

Microsoft 365 Copilot Release Roundup: August, September, October 2024  

Discover the latest updates for Microsoft Copilot released during August, September, and October 2024.

What's new with the Windows 11 24H2 update?

Here’s a Get Support guide to the latest Windows 11 24H2 update, including what matters most for small businesses.