News

Next month Cyber Essentials (CE) will see its latest refinement. The updated technical requirements for v3.3 are provided on the NCSC website. The update is more an evolution than a revolution and provides:
• A definition of ‘cloud services’
• A definition for Passwordless Authentication includes FIDO2
• A definitive statement that cloud services cannot be excluded from scope

Whilst still not an actual CE requirement, the NCSC “highly recommend implementing an appropriate backup solution.”

If you’re based in Somerset, Devon or Gloucestershire and are looking for Cyber Essentials advice, guidance or implementation, please get in touch.

Consult MB is now a licensed Certification Body for the Defence Cyber Certification (DCC). Mike, our assessor, is a certified DCC Level 1 Assessor.

Our focus will be on micro organisations in the MoD supply chain. If you’re based in the West Country and interested in gaining DCC, please contact us.

The UK Government has issued a new warning letter, this time aimed at small business owners and entrepreneurs. The letter outlines the increasing risk to cyber security with half of small businesses in the UK having suffered a cyber attack in the previous 12 months.

The letter highlights the NCSC’s Cyber Action Toolkit and the Cyber Essentials scheme.

If you’re a small business in Somerset and have concerns about cyber security or are interested in achieving Cyber Essentials certification, contact us to learn how we can safeguard your business together.

It’s been a while since the last update from Consult MB Ltd, but here’s a big one! On 13-Oct-2025 the UK Government issued a warning re increasing levels of hostile cyber activities in the UK. The letter to CEOs and Chairs of leading UK companies can be found here.

The letter asks CEOs/Chairs to implement the Cyber Essentials controls and require their supply chain to do so as well.
If you need any advice on Cyber Essentials, or are seeking to certify, please contact us.

Version 3.2 of the NCSC’s Cyber Essentials standard (IASME codename Willow) will go live from 28-April-2025. This version sees improved question wording and links to additional guidance. An important technical update is the acceptance of passwordless authentication. Checkout the NCSC’s Cyber Essentials v3.2 requirement document here.

Whilst the scope of Cyber Essentials Plus is exactly the same as Cyber Essentials, testing CE+ sees some interesting changes:

• The scope of the CE assessment must be verified by the Assessor.
• When the scope is not ‘whole organisation’, the Assessor must verify that any sub-sets have been segregated correctly.
• The Assessor must verify that the device sample size has been calculated correctly using the method determined by IASME.
• Instead of referring to ‘patches’ the new term is ‘Vulnerability Fixes’ which include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.

The NCSC’s updated Cyber Essentials Plus Test specification, can be found here.

The NCSC have published their annual review for the period Sep 2023 to Aug 2024. The report has a lot to say of interesting news and statistics about Cyber Essentials and the Cyber Advisor (Cyber Essentials) scheme. The report also mentions the NCSC’s Active Cyber Defence services, which we’d recommend to any/all organisations.

If you’re based in Somerset, Devon or Gloucestershire and are looking for cyber security advice, guidance and implementation, please get in touch.

The National Cyber Security Centre have published a blog marking the 10 year anniversary of Cyber Essentials. The blog highlights that organisations with Cyber Essentials certification are 92% less likely to make a cyber-insurance claim compared to those without it – which is an impressive statistic!

IASME have also published their own anniversary booklet, which rightly describes the scheme as “A minimum standard for cyber security”. A key statistic from the brochure is that 89% of Cyber Essentials certified organisations would recommend certifying to Cyber Essentials to other organisations like theirs – another great endorsement!

The NCSC’s Cyber Advisor Scheme has been with us for some time now. The scheme aims to provide small to medium sized organisations with cyber security advice and support. The Cyber Advisor Scheme is operated by IASME, the NCSC’s partner. The initial focus of the scheme is to help organisations implement the technical controls defined by the Cyber Essentials scheme.

To become a Cyber Advisor (Cyber Essentials) the advisor must work for an NCSC assured service provider and pass an assessment which evaluates:

• Knowledge and understanding of the Cyber Essentials’ technical controls.
• Competence in providing practical, hands-on support.
• Ability to understand and work with small and medium sized organisations.

The Cyber Advisor assessment is not a trivial exercise and the current pass rate is only around 50%. Whilst many candidates are technically competent, they often struggle with the consultancy skills aspect of the assessment.

Consult MB Ltd, with its roots in cyber security consultancy and status as a Cyber Essentials Certification Body, has developed a 1-day training course for potential Cyber Advisors. This course covers the technical requirements and consultancy skills needed, aiming to prepare candidates for the Cyber Advisor assessment.

The training course is delivered in-person, but can also be offered as an on-line webinar. If you are interested in preparing for the assessment by attending the 1-day course, please get in touch via our contact form.

From 1^st April 2024 the cost of Cyber Essentials (and IASME Cyber Assurance) certification will increase. Pricing still operates on a tiered structure, determined by the number of employees.

Organisation Size	Current Price (ex VAT)	New Price (ex VAT)
Micro (0-9 employees)	300	320
Small (10-49)	400	440
Medium (50-249)	450	500
Large (250+)	500	600