To get us started for those unaware, here is a quick definition of Cyber Essentials and IAMSE:
Cyber Essentials: A government-backed scheme focussing on five crucial technical security controls. It helps reassures customers you are working to secure your IT against cyber attacks. It allows you to understand your cyber security level. Some Government contracts require this certification.
IASME: Cyber Essentials is partnered with the IASME consortium. From April 1st 2020, IASME became the National Cyber Security Centre's sole Cyber Essentials Partner, responsible for the scheme's delivery.
The big benefit: Cyber Essentials certification includes automatic cyber liability insurance for any UK organisation that certifies their whole organisation and has less than £20m annual turnover.
A significant change was made to Cyber Essentials at the start of the year. Any Cyber Essentials Self-Assessment certifications started after January 2022 are now assessed under the brand-new scheme update, known as Evendine.
Currently, many changes will be essential to consider for those undertaking Cyber Essentials. However, we want to draw your attention to the fact that now all cloud services are in scope and are to be fully integrated into the scheme.
Previously, Cyber Essentials only considered IaaS (infrastructure as a service) in scope. However, now that Evendine is in place, SaaS (software as a service) and PaaS (platform as a service) are now included. This means that all scheme controls need to be applied, either by you, the organisation, where possible and if not, by the cloud provider.
The National Cyber Security Centre believes when it comes to cloud services, the applicant is always responsible for ensuring all the controls are implemented. Still, the cloud service provider can implement some of the controls. They consider the three different types of cloud services:
Further information can be found in NCSC’s Cyber Essentials: Requirements for IT infrastructure v3 document. However, if you don’t fancy reading a 22-page government document, we have you covered for the essential facts you need to know.
NCSC specify requirements under five technical control themes:
The language they use is very clear. The responsibility for ensuring these requirements are applied to cloud services rests solely with you, the applicant.
Now, I'm not saying you would do this, but now is not the time to throw your hands in the air and say it's out of my control. Understandably, some of the themes you cannot control will come down to your cloud provider. However, you need to be extremely careful and check the terms and conditions of your agreement with the said cloud provider. Make sure you can 100% confirm in their privacy statements documentation that the cloud provider is adequately applying those controls to the service.
If in doubt, contact the vendor to gain more information and have them follow up with written confirmation so you can be sure that you are compliant.
To help demonstrate how important it is to work with your cloud provider, here is who would typically be expected to implement each control:
Here are a couple of final points relating to user access control. If a corporate VPN solution connects back to your office location or to a virtual/cloud firewall, then it must be administered by your organisation so that firewall controls can be applied.
Also, this is obviously a good practice normally, but you need to ensure you have implemented MFA where available. Authentication to cloud services must always use MFA. All standard user accounts will need MFA when certifying in 2023. In the meantime, user accounts will need either:
Again, make sure you read the entirety of the "Requirements for IT Infrastructure v3” document, as we are only providing snippet advice that we think is relevant.
Here are a few tips and tricks to consider while ensuring your cloud services are in scope.