02 Mar 2017

The National Cyber Security Centre recently published the latest changes of the Cyber Essentials requirements for IT infrastructure.

The National Cyber Security Centre (NCSC) recently published a modified version of the requirements to ensure it is easier to understand and use. This latest update, Specifying the technical controls required for IT infrastructure, for assessment under the Cyber Essentials scheme also incorporates a few technical changes.

This article highlights some of the key points pulled from the requirements document. Please make sure you read the full document. A link can be found at the end of this article.

What’s new?

The main changes listed by the NCSC are:

  • Made the title more specific, to help differentiate this document from other requirements documents we may produce in future (to deal with cloud services, for example).
  • Clarified how to determine the scope and which devices are within the scope.
  • Added requirement for authentication in services that allow Internet-based users to access data which must be protected.
  • Removed requirement for regular password changes in Internet-facing services. Replaced with a choice of responses to deal with repeated failed authentication attempts.
  • Added content to cover the use of certificate-based application whitelisting or sandboxing to defeat malware.
  • Refined requirements for patching, to be more flexible about devices in scope yet also more specific.

The scope for the requirements for IT infrastructure (Cyber Essentials scheme)

The National Cyber Security Centre states that the assessment and certification can cover the whole of the Applicant’s IT infrastructure, or a sub-set. Either way, the boundary of the scope must be clearly defined in terms of the business unit managing it, the network boundary and physical location. This scope has to be agreed between the Applicant and the Certification Body before the assessment begins.

The Centre strongly recommends that ideally the scope should include the whole IT infrastructure to achieve the best protection.

The following requirements apply to all the devices and software that are within this boundary and that meet the conditions below:

  • accept incoming network connections from untrusted Internet-connected hosts
  • establish user-initiated outbound connections to arbitrary devices via the Internet
  • control the flow of data between any of the above devices and the Internet

Bring Your Own Device (BYOD)

In addition to mobile or remote devices owned by the organisation, user-owned devices which access organisational data or services are in scope.

Wireless devices

Wireless devices (including wireless access points) are:

  • In scope – if they can communicate with other devices via the Internet
  • Not in scope – if it is not possible for an attacker to attack directly from the Internet (the Cyber Essentials scheme is not concerned with attacks that can only be launched from within the signal range of the wireless device)

Externally managed services — Cloud

If it is practicable for the Applicant to apply the requirements to its cloud services then it should include these services within the boundary of scope. At present, ‘Software as a Service’ (SaaS) and ‘Platform as a Service’ (PaaS) are not in scope — the current requirements cannot be mapped against them.

A useful example provided
Acme Corporation has procured ‘Infrastructure as a Service’ (IaaS) from a cloud service provider. Acme has control of the operating systems on the infrastructure, and so it is able to apply the requirements. Acme will therefore include this service in its scope.

Externally managed services — other

Where the Applicant is using other externally managed services (such as remote administration) it may not be possible for the Applicant to meet all the requirements directly. The Applicant may choose whether or not to include these services within the boundary of scope, according to feasibility.

Web applications

  • Commercial web applications created by development companies (rather than in-house developers) and which are publicly accessible from the Internet are in scope by default.
  • Bespoke and custom components of web applications are not in scope.

What needs to be covered under five technical control themes?

The NCSC also details what infrastructure comes under the 5 technical control themes. For further detail and the full requirements against each of these, please click on the link to the document at the end of this article.


Applies to: Boundary firewalls, desktop computers, laptop computers, routers, servers.

Secure configuration

Applies to: Email, web, and application servers, desktop computers, laptop computers, tablets, mobile phones, firewalls, routers.

User access control

Applies to: Email, web and application servers, desktop computers, laptop computers, tablets, mobile phones.

Malware protection

Applies to: Desktop computers, laptop computers, tablets, mobile phones.

Patch management

Applies to: Web, email and application servers, desktop computers, laptop computers, tablets, mobile phones, firewalls, routers.

A useful tip provided
Product vendors do not generally release patches for products they no longer support — not even to fix vulnerabilities

Password-based authentication

Something to leave you with is the NCSC’s section about passwords:

The Applicant must make good use of the technical controls available to it on password-protected systems. As much as is reasonably practicable, technical controls and policies must shift the burden away from individual users and reduce reliance on them knowing and using good practices.

Users are still expected to pick sensible passwords.

For password-based authentication in Internet-facing services the Applicant must:

  • Protect against brute-force password guessing, by using at least one of the following methods:
    • Lock accounts after no more than 10 unsuccessful attempts
    • Limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
  • Set a minimum password length of at least 8 characters
  • Not set a maximum password length
  • Change passwords promptly when the Applicant knows or suspects they have been compromised
  • Have a password policy that tells users:
    • How to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favourite pet)
    • Not to choose common passwords — this could be implemented by technical means, using a password blacklist
    • Not to use the same password anywhere else, at work or at home
    • Where and how they may record passwords to store and retrieve them securely — for example, in a sealed envelope in a secure cupboard
    • If they may use password management software — if so, which software and how
    • Which passwords they really must memorise and not record anywhere

For the full requirements document, click on this link – specifying the technical controls required for IT infrastructure, for assessment under the Cyber Essentials scheme

Assign-IT is an authorised certification body for Cyber Essentials. If you would like to talk to us about Cyber Essentials and IT security, please call us on 01727 843888 or email us at