Cyber Essentials Requirements for Supported Systems and Software Security
Overview
To pass the Cyber Essentials certification, all systems within an organization's scope must adhere to specific security requirements. Among these requirements, it is crucial that all software and operating systems are officially supported by their vendors. Furthermore, any system or configuration that represents a critical vulnerability, such as outdated protocols, is deemed non-compliant.
Supported Systems Requirement
Cyber Essentials mandates that all devices, including mobile devices and desktop systems, operate on a supported operating system (OS). Systems running unsupported OS versions automatically fail to meet compliance. For example:
Mobile devices must run a supported version of their respective operating systems. Operating devices on unsupported versions, such as outdated Android OS versions, will result in certification failure.
Legacy systems such as Windows XP that use obsolete protocols like SMB v1.0 are deemed high risk. These systems are not acceptable for Cyber Essentials certification, even if they are isolated in separate VLANs or sandboxed. SMB v1.0 is classified as a critical vulnerability, leading to an automatic assessment failure.
Implications of Non-Compliance
Failing to adhere to the supported system requirements has serious implications, including:
Denial of Cyber Essentials certification.
Increased risk of security breaches due to exposure to known vulnerabilities.
Organizations must ensure that all devices in scope are updated to supported versions before applying for Cyber Essentials certification. Unsupported systems must either be upgraded or entirely removed from the network to comply with the guidelines.
Conclusion
Maintaining supported systems and eliminating high-risk vulnerabilities are fundamental requirements for Cyber Essentials certification. Compliance ensures not only certification success but also enhanced security across your organization's IT infrastructure. For further questions or guidance on preparing your organization for Cyber Essentials, consult the official Cyber Essentials guidelines or reach out to a certification expert.