Cyber Essentials Danzell: What Is Changing And How It Will Affect You
From April 27th, Cyber Essentials updated the scheme from Willow to Danzell. Whilst it has only been a year for Willow, IASME alongside the NCSC have made several improvements to the Cyber Essentials Scheme. The changes throughout Danzell are some of the biggest we have seen in a while and will have many elements that can catch out an organisation, especially one that goes through this process unprepared.
Whilst the five control themes remain familiar, the marking criteria, scoping expectations, and CE+ methodology have tightened. The main changes worth considering are around the scoping of cloud services, usage of MFA and the discipline around patching. While before Cyber Essentials allowed a level of non-compliances to carry one through certification, the bar has been raised, and these are not only grounds for automatic failures in an assessment but also could lead to current certificates being revoked.
Patching Discipline
Often one of the most difficult elements of a Cyber Essentials Plus is proving that you are doing your patching in a regimented way, with little to no failings. Danzell puts further emphasis on this and will put in jeopardy the certification of any company who is not following IASME guidance appropriately.
Not only will a CE assessment that answers ‘No’ to the patching requirements fail the basic assessment, but the rules have changed dramatically for Cyber Essentials Plus testing also. If an organisation fails to evidence that they have applied all patches in the first set of scan results, they will need to provide a second sample set for all failed devices to be added to the assessment, to evidence that on rescanning of the environment that both sets of samples have remediated the previously flagged concerns. So, if you are a large organisation running many different versions of operating systems, you could go from a test that initially sampled 15 devices, to quickly becoming 30 total after one day of testing. And not only will the assessor be looking to see in the second set that patches are applied for the previously identified high/critical vulnerabilities, but they will also be on the lookout for any other patches not applied within 14 days. If there are any found, then the organisation will fail the CE+ assessment and IASME will reserve the right to revoke the Cyber Essentials Basic certification as they will see that as enough evidence to determine inaccuracy in the initial assessment.
The Effect of a Non-Compliance
One thing that is often poorly understood within a Cyber Essentials assessment is the occurrence of a non-compliant answer. Many organisations may not realise that when going through the basic assessment only a few questions were automatic failures rather than a “major non-compliance” - in a Cyber Essentials basic assessment an organisation could carry up to two non-compliances. Cyber Essentials Plus was the level at which every control had to be applied to the letter of the law.
This is where Danzell may create difficulty for organisations that have relied on previous tolerance: the new scheme will be elevating the standards of the Cyber Essentials assessment. If an organisation wishes to go through a Cyber Essentials Plus assessment under Danzell, then they should communicate with their CE assessor in advance of any assessment. Some issues that may previously have been treated as major non-compliances are now automatic failures, particularly around MFA and timely patching.
Cloud Services
Cloud services are one of the frustrations that clients tend to have with Cyber Essentials, not because they are not following the guidance, but because the guidance at times can feel a bit behind the fast-paced world of cloud infrastructure.
Danzell may add to this feeling, as while it has been known for a while that cloud services cannot be removed from scope of an assessment, the way many organisations have operated indicates that many have perhaps misunderstood this point. IASME have provided further elaboration to the definition of cloud services and have directly stated that when we talk about cloud services, it is not only Platform-as-a-Service or Software-as-a-Service but it includes Infrastructure-as-a-Service, so if you are using cloud infrastructure in your business it must be compliant and must be included.
We have always operated on that assumption but having it laid out specifically in this iteration may cause some frustration and difficulties for clients that may have otherwise avoided including it in their scope.
Multi-Factor Authentication
Relating to cloud services, MFA usage has also become more stringent. If a cloud service supports MFA, then an organisation must use it. If they do not, they will automatically fail the assessment. So, the cloud infrastructure previously mentioned must have some form of MFA configured
For cloud services that do not have MFA capabilities, the organisation must list each one of these services and if it’s found that any of them have implemented an MFA system, then the organisation will automatically fail. For some organisations this will dramatically change the resources they utilise, and the resources given to the assessment itself, as checking every single cloud service can be a very long process.
When going through the basic assessment, organisations will see a multitude of questions around MFA to get a full understanding of its usage across the cloud systems. I would encourage any organisation to go through this as methodically as possible, as any mistake when identifying the usage of MFA could have serious certification consequences.
Danzell came into effect on April 27th. Discover how Cyberis can assist you in meeting the Cyber Essentials requirements by reading more here - https://www.cyberis.com/cyber-essentials.
References
Improve your security
Our experienced team will identify and address your most critical information security concerns.