Cyber Essentials Controls to prioritise ahead of certification

By Cyber Essentials Lead Assessor Tony Wilson

Here are 2 key questions relating to unsupported Operating Systems that need to be prioritised ahead of submission:

  • Please list the quantities of tablets and mobile devices within the scope of this assessment. You must include model and operating system version for all devices i.e. Samsung Galaxy S10 Android 9 or iPhone XR iOS 14.5.2.
  • Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers).

As part of the Cyber Essentials submission, you must state the make and models of all mobile devices used as well as the operating systems (Question A2.7). Our assessors check whether the models declared are still capable of being updated. Please do not assume that, just because the mobile devices are running a supported operating system, that updates are still being released by the manufacturer. This is not always the case, for example the Huawei P20 Lite can run Android 9 but is no longer receiving security updates. We therefore urge you to perform an inventory of your mobile devices and check they are being supported by checking the the appropriate link below:

 

  • https://source.android.com/security/bulletin
  • https://support.google.com/pixelphone/answer/4457705#pixel_phones&nexus_devices
  • https://security.samsungmobile.com/workScope.smsb
  • https://consumer.huawei.com/en/support/bulletin/
  • https://motorola-global-portal.custhelp.com/app/software-security-page/g_id/6806
  • https://lgsecurity.lgcom/security_updates_mobile.html
  • https://security.oppo.com/en/mend.html
  • https://www.nokia.com/phones/en_int/security-updates

 

Don’t forget that the firewalls listed in question A2.9 are also checked to that these devices are supported. Companies cannot pass with a firewall that is not capable of receiving security updates from the manufacturer.

Finding such an issue in any of the devices mentioned above will mean the submission will fail and could take several weeks to rectify as this often requires ordering, upgrading, and commissioning new hardware to meet the requirements of the supported Operating System.

Many companies have a client-imposed deadline to meet when certifying to Cyber Essentials and those companies that do not identify unsupported Operating Systems early enough, miss these deadlines and put contracts at risk.