Cyber Essentials Changes: Cloud Services
If you do business online, you’ll likely have already heard of Cyber Essentials. And, if you regularly read our blog then you will have already seen our first in a series taking a close look at the upcoming Cyber Essentials changes.
Launched in 2014, the government-backed scheme helps to protect businesses and organisations from online risks, and fight the most common cybersecurity threats. To attain Cyber Essentials certification from the National Cyber Security Centre (NCSC) you need to meet their key technical requirements.
The NCSC updates these requirements regularly, and with more and more people working from home rather than the office in recent years, they’ve had to make some changes. If you’re looking to get Cyber Essentials certification, or renew your existing accreditation, then the new conditions will come into force on 24th January 2022 - if you need to make any changes to your systems or software, then you’ll need to make them soon.
One of the biggest changes is that all cloud services will be fully integrated, and fall under the scope of Cyber Essentials. If any of your organisation’s data is currently hosted on cloud services, then you’ll be held responsible for ensuring that the Cyber Essentials controls are implemented.
What needs to be done?
Although many people think cloud services are completely secure out of the box, that’s not always the case. Users must check up on the services they’re using and read up on them to ensure they meet the Cyber Essentials standards. Although Platform as a Service (PaaS) and Software as a Service (SaaS) weren’t previously under scope, they are now, and organisations will need to take responsibility for user access control, as well as the secure configuration of their services.
Depending on the type of cloud service you use, either you or the cloud service provider may be in charge of implementing the controls such as security update management. If it’s the cloud service provider’s responsibility, then your organisation must seek and provide the necessary evidence that this has been done.
You can get more information on the updates by reading our Cyber Essentials blogs - the first in the series covers home routers. To find out more, or get some advice on how to make the necessary updates to your business to be in line with the new requirements, get in touch.