CYBER ESSENTIALS MYTHCONCEPTION 5: Firmware Compliance
This post in our series on Cyber Essentials "Mythconceptions", tackles the misconception:
"All firmware needs to be tracked and updated like software does."
The wording in the Cyber Essentials standard is a little unclear, but the reality is that not all firmware is in scope.
The firmware that is in scope is the firmware in network devices, laptops, tablets, and mobile phones. Firmware in IoT, computer peripherals, etc. are not in scope.
This should ease the fears of those who read the standard and assumed that all firmware was suddenly in scope.
However, this does mean that the firmware in scope needs to be inventoried, tracked, and updated when required.
Barrier's "Securely Compliant Tips" for Firmware Compliance
The following tips are offered as inspiration to help you devise a strategy for firmware compliance in your organisation for compliance and beyond:
Apple products update their firmware along with OS updates. iOS and Mac laptops are easy to keep compliant if the OS is up-to-date.
Corporate-level networking devices often come with management tools that track and update network device firmware, which makes managing them easier than home-network devices.
Android devices and other devices with in-scope firmware need to be tracked, checked, and updated according to the Cyber Essentials standard.
For any questions, contact IASME: https://iasme.co.uk/contact-us for official Cyber Essentials queries,
or Barrier Networks: https://www.barriernetworks.com/contact-us to schedule a Cyber Essentials assessment or help with anything from the Tips.