Cyber Essentials, a government-backed scheme, certifies organisations for their commitment to cybersecurity. It’s not only evolving to counteract new cyber threats but also demonstrating proven results. Recent evaluations show it has significantly raised security standards across UK businesses, promoting best practices in supplier vetting and resilience-building in supply chains.
Why is Cyber Essentials So Important?
Cyber Essentials offers critical protection for businesses of all sizes. Studies show certified organisations are 80% less likely to experience cyber breaches. This badge signals robust cybersecurity practices, giving customers and partners confidence in your commitment to safeguarding data.
The 2025 Update…
A new update is coming in April 2025, giving businesses time to prepare and adjust to the new requirements.
Many changes focus on terminology: in the IT Infrastructure document (V3.2) under the ‘Software’ section, the term ‘plugins’ is being changed to ‘extensions’ for accuracy. Additionally, ‘home working’ will be updated to ‘home and remote working,’ acknowledging that remote work is now conducted in various locations like cafes, hotels, and other public spaces with untrusted networks.
Password security is also receiving attention. With the rising need for better protection than traditional passwords, the 2025 update emphasises ‘password-less’ authentication. This eliminates passwords and relies on multiple authentication methods that are much harder for cybercriminals to compromise. The update will include solutions like biometric authentication, security keys or tokens, one-time codes, and push notifications.
Another change is the shift from ‘patches and updates’ to ‘vulnerability fixes,’ a broader term covering all mechanisms approved by vendors to fix known security flaws. Vulnerability fixes include patches, updates, registry changes, and configuration scripts. Addressing vulnerabilities is a proven method for maintaining secure systems and preventing cybercriminals from exploiting them.
This update also includes revisions to the Cyber Essentials Plus Test Specification Document, which is aimed at assessors conducting Cyber Essentials Plus assessments. Customers can review the updated test criteria to understand the assessment process in detail. You can find more about these specific changes here.
How has Cyber Essentials Changed Over the Years?
Cyber Essentials has increasingly tightened its standards over time, raising security awareness and enhancing standards across UK businesses. The latest evaluations reveal it has contributed significantly to improved cybersecurity practices, a stronger business reputation, and improved security across supply chains.
In April 2023, following updated guidelines from the NCSC, version 3.1 of Cyber Essentials was introduced. The first significant change made in this update was the definition of software now clarifying where firmware is in scope. Firewalls and router firmware are key security devices, so their operating systems and whether they are kept up to date are extremely important to an organisation’s cybersecurity. This means when applicants list all devices and servers, they must also include the make and model of all firmware they use.
Asset management also became a focus, emphasising the importance of maintaining accurate information about assets. Proper asset management is critical to everyday operations and decision-making during security incidents. Failure to manage assets properly has led to major breaches, as organisations left vulnerabilities exposed for cybercriminals to exploit. The update also revised malware protection guidelines, offering organisations multiple methods for defending against malware based on the latest vendor research.
Cyber Essentials and Remote Workers
Over the 2021-2023 updates, several changes were made to enhance the cybersecurity of businesses using remote working. The 2023 update clarified which third-party devices fall within an organisation’s cybersecurity scope, ending debates about which devices must meet security controls.
In the 2022 update, any device used by a home worker to access organisational data was classified as in scope, except for routers—unless the employer supplied them. This led to confusion and loopholes that some organisations tried to exploit.
With the growing use of Software as a Service (SaaS), flexible working models, and the sharing of data with partners or guest users, Cyber Essentials now incorporates the ‘Zero Trust’ architecture. Zero trust architecture means all networks are untrustworthy and assumed hostile, with access being granted based on an access policy. This is achieved by building context, which is reliant on strong authentication, authorisation, device health, and the value of data being shared. This is a stricter update as compared to the 2022 requirements, which merely included cloud services in scope. Due to this, organisations had to take responsibility for users’ access control and the secure configuration of these services.
Multi-factor authentication became imperative for access to cloud services in response to several attacks that used a stolen password to gain access. Under the definition of multi-factor authentication in the 2022 update, users were required to have two or more types of credentials before being able to access an account.
How Do They Decide These Changes?
To stay effective in the ever-evolving threat landscape, a team of experts reviews and updates the Cyber Essentials scheme at regular intervals. Insights from the recent impact evaluation help guide these updates, ensuring the scheme stays relevant to current regulations and effectively protects businesses. The involvement of front-line cybersecurity providers, including experts like our own Richard Andreae, ensures the scheme adapts to both regulatory standards and real-world threats. With input from the recent impact evaluation, Cyber Essentials continues to evolve in ways that actively protect businesses and enhance cybersecurity resilience across the UK.
It’s Time to Get Your Certification
SupPortal is a recognised certification body offering Cyber Essentials and Cyber Essentials Plus. Contact us to discuss the steps you need to take to tackle evolving cyber threats while keeping your business and its assets secure. Protect your reputation and safeguard the future success of your business with Cyber Essentials. Find out more: https://supportal-uk.com/cyber-essentials/