A new version of the CREST Cyber Essentials questionnaire (part of the Cyber Essentials assessment) has been made available by CREST, with a grace period of until September the 28th 2017 for using the older version for submissions. There are several changes which are summarised as follows.
A major change relates to the ongoing change in thinking over historical password advice. Specifically if you haven't seen it already a good read is the NCSC updated password advice to organisations, detailed at the following link:
A significant change is that the question on password expiry has been removed completely; there is no longer a password expiry requirement in the CREST Cyber Essentials. Note that it's not required for ISO 27001, but PCI DSS 3.2 still mandates 90 day changes, so do check other standards you may be adhering to.
The Access Control section now includes a question about your written or online password policy for staff, marking it based on 6 key points. If you currently provide advice to staff in your policy about how they should pick a good password, and manage multiple passwords (such as using an acceptable password manager), then you are likely to have few problems with this.
The wording throughout the questionnaire as a whole has changed from references to a “strong password” to “difficult to guess password”. CREST acknowledge that "difficult to guess" is a little ambiguous although it's likely this change will help organisations use long memorable passphrases rather than have auditors argue that "strong" requires every character set. To summarise the NCSC article, a password hash match corresponding to "September2017!" will be quickly found by most attackers. In contrast a 30 character long passphrase just made of lower case letters might fail complexity requirements but will be difficult to guess via computational means. Altering the wording is likely designed to allow for long memorable passwords that are hard to guess.
CREST now supply some additional guidance to the testing organisation about passwords, although these are hopefully common sense points and don't represent a change themselves.
Without giving scoring details, which are confidential, the older Cyber Essentials questionnaire created a necessity for the implementation of Microsoft AppLocker or similar. However the new malware section changes this. It splits how you deal with the risk of malware into three possibilities, with an option to choose which you are mainly utilising:
- Or Anti-virus or malware protection (4 questions)
- Or Application whitelisting (3 questions)
- Application sandboxing (1 question)
The new version of the Cyber Essentials Questionnaire brings Cyber Essentials more up-to-date with current information security practices.