Cyber Essentials Changes: Cloud Services

  • Home
  • Blog
  • Cyber Essentials Changes: Cloud Services

Executive Summary

On 24th January 2022, the newest requirements for the Cyber Essentials scheme will come into force, in the scheme’s biggest overhaul since its launch in 2014. Backed by the government and organised by the NCSC (National Cyber Security Centre), the scheme is a way for businesses to showcase their cybersecurity measures, and assure customers that they’re protected against some of the most common online threats. Ahead of the update, we’ve put together a series of articles looking into the biggest changes - here’s our third instalment!

What’s changed?

The NCSC updates these requirements regularly, and with more and more people working from home rather than the office in recent years, they’ve had to make some changes. If you’re looking to get Cyber Essentials certification, or renew your existing accreditation, then the new conditions will come into force on 24th January 2022 - if you need to make any changes to your systems or software, then you’ll need to make them soon.

One of the biggest changes is that all cloud services will be fully integrated, and fall under the scope of Cyber Essentials. If any of your organisation’s data is currently hosted on cloud services, then you’ll be held responsible for ensuring that the Cyber Essentials controls are implemented.

What needs to be done?

Although many people think cloud services are completely secure out of the box, that’s not always the case. Users must check up on the services they’re using and read up on them to ensure they meet the Cyber Essentials standards. Although Platform as a Service (PaaS) and Software as a Service (SaaS) weren’t previously under scope, they are now, and organisations will need to take responsibility for user access control, as well as the secure configuration of their services.

Depending on the type of cloud service you use, either you or the cloud service provider may be in charge of implementing the controls such as security update management. If it’s the cloud service provider’s responsibility, then your organisation must seek and provide the necessary evidence that this has been done.

You can get more information on the updates by reading our Cyber Essentials blogs - the first in the series covers home routers. To find out more, or get some advice on how to make the necessary updates to your business to be in line with the new requirements, get in touch.

Would you like to talk to us and find out more about our services?

Please fill in the form below and one of the team will get in touch.