As of the 24th of April 2023, the National Cyber Security Centre’s new ‘Montpellier’ question set came into full force and replaced the ‘Evendine’ question set on the Cyber Essentials scheme.
Moving forward, in order to attain the Cyber Essentials Certification badge for your company, adherence to the updated ‘Montpellier’ question set is required.
The Montpellier question set serves to prove that your business adheres to the updated minimum cyber security standards, protecting your business, customers, investors, and supply chain from the constantly evolving cyber threat landscape.
In this blog post, we’ll explain what this change means for your business and what the new changes actually are.
What are the changes to cyber essentials?
1) The definition of ‘software’ has been updated to clarify where firmware is in scope.
2) Asset management is now included as a highly recommended core security function.
3) A link to the NCSC’s BYOD guidance has been added to provide businesses with more information.
4) All devices that your organisation owns that are loaned to a third party must now be included in the assessment scope.
5) The section on ‘Device unlocking’ has been revised to acknowledge that certain vendors impose restrictions on device settings. In such instances, it is advised to use the default settings provided by the vendor.
6) The ‘Malware Protection’ section has been revised to make sure that malware protection is active on all devices in scope.
All anti-malware software must be configured to:
- Be updated in line with vendor recommendations
- Prevent malware from running
- Prevent the execution of malicious code
- Prevent connections to malicious websites over the internet
Approved applications, restricted by code signing, are allowed to execute on devices. But first, you must:
- Actively approve such applications before deploying them to devices.
- Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature
7) New information has been added about how Cyber Essentials affects businesses using zero trust architecture.
8) The illustrative specification document for Cyber Essentials Plus has been updated.
9) Several changes have been made to the style, language, and wording of the document to make it easier to understand.
10) The technical controls have been reordered to align with the self-assessment question set.
What does this mean for your business?
All this is the biggest update of the scheme’s technical controls since its launch in 2014. The changes are not complicated and will not affect your capacity to get certified or the duration in which it takes to complete it.
The updated technical requirements are a response to evolving cybersecurity challenges that businesses now face. The refresh provides reassurance to stakeholders that your business has the basic cyber security controls in place needed for 2023.
Many of the changes were based on feedback from assessors, applicants and The Cloud Industry Forum. So you should find that the process goes a lot smoother.
If you have any more questions on how to gain your cyber essentials accreditation you can contact a member of our team today on 01482 628800.