Successful Cyber Essentials Plus renewal for PDMS
PDMS has recently successfully passed the renewal of our Cyber Essentials Plus Certificate of Assurance certification.
The renewal follows significant changes to Cyber Essentials in 2022 and more recently, new changes which came into force on the 24th April 2023.
About Cyber Essentials Plus
Cyber Essentials Plus is a cybersecurity certification scheme, which was backed by the government to help companies in the UK protect themselves against cyber threats. IASME, a UK-based organisation, was tasked by the government to set up this accreditation, and to help certify organisations in both cybersecurity and counter-fraud.
The Cyber Essentials Plus audit provides businesses with the means to identify vulnerabilities and make improvements to their IT infrastructure to create a more robust defence and reduce the risk of cybercrime.
Cyber Essentials Plus updates in 2023
In January 2023 the National Cyber Security Centre, working with its delivery partner the IASME, published an updated set of requirements, version 3.1 for the Cyber Essentials scheme. These changes are referred to as the ‘Montpelier question set’ and have been implemented to reflect shifts both in terms of technology and human behaviour which may create new security vulnerabilities.
One of the major changes is that firmware is now included as a type of software in scope. According to IASME this has been implemented as "firmware is the operating system for the key security device, firewalls and routers, whether they are kept up to date is extremely important from a security perspective.”
Asset management is now also considered as a ‘core security function’. With asset management impacting multiple business functions, including IT operations, financial accounting, managing software licences, procurement and logistics - with inevitable overlaps and dependencies between each - its proper integration and coordination within an organisation is essential to reduce or manage conflicts.
IASME explain that “many major security incidents are caused by organisations having assets which are still connected to the network when that organisation is not aware the asset is still active. Effective asset management will help track and control devices as they’re introduced into your business.”
Another area is in relation to user devices and there is now more guidance on how external devices should be treated. Previously BYOD (Bring Your Own Device) only required minimal management, but the recent changes now require enforcement of stricter security measures on those devices.
To prepare for the Cyber Essentials Plus changes and audit, the infrastructure team at PDMS have rolled out several changes and security improvements across the organisation. These include:
- Standardisation of the desktop environment across all business units and employees.
- Compliance to the latest Azure best practices for identity management and access control.
- The completion of migration of all corporate assets to secure public cloud services.
- Stricter asset control and additional policies around BYOD compliance.
Multi-factor authentication across all corporate services
Because PDMS provides hosting services for our clients, achieving the Cyber Essentials Plus certification is more complex undertaking than it is for other organisations. However, our infrastructure team, with the support of the rest of the business, completed a detailed programme of work to ensure that we could satisfactorily meet all of the new requirements. The certification process involved an assessment by a qualified, independent third party assessor who examine and tests with technical security controls simulating common cyber threats.
Neal Kelly, Chief Information Officer at PDMS, commented:
“Cyber Essentials Plus is a critical part of our wider cyber security programme. The certification renewal and further improvements we have undertaken all form part of our ongoing commitment to ensuring the security and resilience of our technical solutions and IT systems. It also provides assurance both to our customers and our employees that the data which we are entrusted with continues to be our number one priority.”