What will the changes be to Cyber Essentials and Cyber Essentials Plus in the April 2025 update?

Sep 23, 2024 | Cyber Essentials

We aim to ensure that everyone who is applying for Cyber Essentials certification is given adequate time to preview any planned updates to the scheme.

The next annual update will not ‘go live’ until April 2025. However, we are outlining the minor updates to the Cyber Essentials Requirements for IT Infrastructure document now to allow preparation for any applications started on or after 28 April 2025.

Copies of the relevant documents are available here:

Cyber Essentials Requirements

Cyber Essentials Plus Test Specification

Cyber Essentials Free Download of Self Assessment Questions

Why does Cyber Essentials keep changing?

The government approved Cyber Essentials scheme includes five technical controls that help protect organisations from the most common cyber attacks. The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the government-approved, minimum level of cyber security in place and can be trusted with their data and business.

In order to stay effective in the ever-evolving threat landscape, a team of experts review and update the Cyber Essentials scheme at regular intervals. In January 2022, the scheme received a major overhaul made necessary by the digital transformation accelerated by the Covid pandemic.

Technology is advancing at an increasing pace and the Cyber Essentials requirements must continue to adapt and change to stay relevant and valid.

What will the changes to Cyber Essentials in April 2025 look like?

The April 2025 changes to the Cyber Essentials Requirements for IT Infrastructure document V3.2 are fairly minor and apply mostly to the definitions.

Under software, the term ‘plugins’ has been changed to ‘extensions’ for improved accuracy.

References to ‘home working’ has been changed to ‘home and remote working’. The inclusion of ‘remote’ working acknowledges that working away from the company network may not be limited to home working and often includes working within untrusted networks such as cafes, hotels, trains and other shared spaces.

Passwordless

Authentication methods that do not require a password at all are growing more commonplace and Cyber Essentials has needed to address this technology. Passwords have until recently been the default method of authentication for a huge range of accounts and services both at home and at work. Despite being accessible, cheap and portable, passwords are often reused, forgotten, guessed, brute-forced and stolen. The vulnerability of passwords was one of the reasons the Cyber Essentials requirements changed in 2022 to mandate the additional use of multi-factor authentication for all accounts and services available over the internet.

True passwordless authentication eliminates the need for passwords altogether, providing alternative forms of authentication to enable secure user access. This technology will always use more than one factor of authentication, and although there is no password, the other two or more factors can involve digital certificates operating in the background, cryptographic methods, or additional biometric checks combined with codes from authentication apps.

Passwordless technology is now included in Cyber Essentials and is defined in the same way as multi-factor authentication, “passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“.

There are numerous methods of verifying identity without using traditional passwords. Here are some common examples; sometimes these are used in combination:

  • Biometric authentication: Uses biological traits of the user such as fingerprints or facial features to confirm their identity
  • Security keys or tokens: Physical hardware devices such as USB security keys or smart cards
  • One-time codes: Temporary codes are sent via email, SMS, or a mobile app
  • Push notifications: A prompt on a smartphone to approve or deny a login attempt

Read the full NCSC guidance about trusted authentication methods

Vulnerability fixes 

There is also a requirement change associated with patching and updating software under the control, security update management section.  It’s a recognised cyber security principle that if you have a vulnerability on a software system, it needs to be fixed before cyber criminals can exploit it. The vendors or the manufacturers of the software and the operating systems repair the vulnerability by releasing patches and updates, but they’re also doing it in other ways. These include registry fixes, configuration changes, or running scripts provided by the vendor.

In the Cyber Essentials requirements document, the description that used to be ‘patches and updates’. will be changed to ‘vulnerability fixes’ as an umbrella term for all the different methods.

Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.

The section within security update management has been updated to describe ‘fixes’.

Product vendors provide fixes for vulnerabilities identified in products that they still support, in the form of patches, security updates, registry fixes, scripts, configuration changes or any other mechanism prescribed by the vendor to fix a known vulnerability.

Future changes to the Cyber Essentials Plus Test Specification document

This document is aimed at the Assessors who conduct Cyber Essentials Plus assessments on behalf of Certification Bodies. We publish it for information so customers can see what test will be carried out.

Changes include:

  • The word, ‘illustrative’ has been dropped from the name of the Cyber Essentials Plus test specification document
  • The scope of the Cyber Essentials Plus assessment must match the associated Cyber Essentials self-assessment and be verified by the Assessor
  • When the Cyber Essentials self-assessment scope is not ‘whole organisation’, it must be verified by the Assessor that any sub-sets have been segregated correctly
  • The Assessor must verify that the device sample size has been calculated correctly using the method determined by IASME
  • All verification evidence must be retained by the Certification Body for the lifetime of the certificate