Cyber Essentials, the UK government-backed certification scheme, is evolving once again to address the latest trends in cybersecurity and IT practices. Starting April 28, 2025, organisations applying for Cyber Essentials certification will need to meet updated requirements designed to enhance security and adapt to modern working environments2.
Key Changes to Cyber Essentials
- Passwordless Authentication Traditional passwords are increasingly vulnerable to phishing and brute-force attacks. The updated Cyber Essentials framework introduces passwordless authentication methods, such as biometric verification, physical security keys, and push notifications. These modern approaches aim to improve security while simplifying user access.
- Expanded Software Definitions The term “plugins” will be replaced with “extensions” to provide greater clarity when referring to software add-ons. This change reflects the evolving nature of software and its integration into IT systems.
- Vulnerability Fixes The terminology “patches and updates” will be broadened to “vulnerability fixes,” encompassing a wider range of remediation methods, including registry updates, configuration changes, and vendor-approved scripts. This ensures organisations take a proactive approach to addressing security gaps.
- Remote Working Terminology Recognising the rise of hybrid and flexible working, the term “home working” will be updated to “home and remote working.” This change acknowledges the variety of locations employees now work from, including cafes, hotels, and public spaces.
- Cyber Essentials Plus Testing Updates For organisations pursuing Cyber Essentials Plus certification, assessors will follow updated guidelines to ensure proper segregation of organisational subsets, verification of device sample sizes, and retention of evidence throughout the certification’s lifetime.
Why These Changes Matter
Cyber threats are constantly evolving, and the Cyber Essentials scheme must adapt to remain effective. These updates aim to:
- Strengthen security measures against emerging threats.
- Reflect modern workplace practices, including remote and hybrid working.
- Simplify compliance processes while maintaining rigorous standards.
How to Prepare for the Changes
Organisations should start reviewing their current cybersecurity practices and identify areas that may need adjustment to meet the new requirements. Key steps include:
- Exploring passwordless authentication options.
- Ensuring comprehensive vulnerability management processes are in place.
- Updating policies to reflect remote working environments.
- Engaging with a certified Cyber Essentials consultant to guide you through the changes.
Stay Ahead of the Curve
As cybersecurity continues to evolve, achieving Cyber Essentials certification remains a vital step for organisations looking to protect their data, enhance their reputation, and meet compliance requirements. By preparing for these upcoming changes, you can ensure your business stays secure and competitive in an increasingly digital world.