As a Cyber Essentials certifying body, we continuously help our clients stay compliant with the latest standards in cyber security. Cyber Essentials, the UK government-backed scheme, evolves regularly to address new cyber threats. IASME, the body that overseas the scheme, have announced changes coming in April 2025, and here’s a summary of what IT teams and businesses need to know.
Why are Cyber Essentials Requirements Changing?
Cyber security threats are constantly evolving, and so must the controls that mitigate them. The Cyber Essentials scheme, designed to protect against common cyber attacks, is regularly reviewed by experts to ensure its relevance. With the last significant overhaul in 2022, the upcoming April 2025 update reflects the latest trends in IT and cyber security. Though these changes are more focused on terminology and clarification, they are crucial in ensuring the scheme remains up-to-date.
Key Changes for April 2025
- Updated Terminology:
- Plugins → Extensions: The term “plugins” has been revised to “extensions” for better clarity when referring to software add-ons.
- Home Working → Home and Remote Working: Acknowledging the variety of locations from which employees now work, “remote working” has been added to account for untrusted networks like cafes, hotels, and public spaces.
- Passwordless Authentication: The future of authentication is moving away from traditional passwords, which are prone to being reused, forgotten, or compromised. The Cyber Essentials update reflects the growing adoption of passwordless authentication, which uses other forms of identity verification, such as biometrics, security keys, or push notifications. This method will now be included alongside multi-factor authentication (MFA), making it easier for businesses to use modern, secure access methods.
- Vulnerability Fixes: The term “patches and updates” will be replaced by “vulnerability fixes,” covering a broader range of security actions beyond just patches. These fixes include registry updates, configuration changes, and scripts that mitigate vulnerabilities before they can be exploited. This ensures that businesses are focusing on comprehensive vulnerability management, regardless of the method used by software vendors.
Changes to Cyber Essentials Plus Testing:
For organisations pursuing Cyber Essentials Plus certification, assessors will follow updated guidance:
- If the scope is not organisation-wide, assessors will ensure that sub-sets of the organisation are properly segregated.
- Verification of device sample sizes and retention of all evidence will be mandatory for the certification body throughout the certificate’s lifetime.
What This Means for Businesses
While these changes may seem minor, they highlight the continuous improvements needed to keep pace with advancing cyber threats. Organisations should be prepared for the upcoming shift, particularly with the growing trend of passwordless authentication and more comprehensive vulnerability management.
These updates emphasise the importance of maintaining strong cyber hygiene as threats evolve over time. By staying compliant with these latest changes, businesses can better protect themselves, their data, and their supply chains from potential cyber threats.
At Consider IT, we remain committed to ensuring that all our clients meet Cyber Essentials standards, staying ahead of cyber security threats with the latest, government-approved guidance. Get in touch if you need support with Cyber Essentials or Cyber Essentials Plus certification to protect your organisation.
