Stay Ahead of Cyber Threats: Get Ready for the 2025 Cyber Essentials Updates

The NCSC has announced upcoming updates to the Cyber Essentials certification that could impact how organisations complete the self-assessment process. Although these changes won’t officially take effect until April 2025, we’re sharing the details now to help businesses prepare for any applications starting on or after April 28, 2025.

Read Article
a picture of a man at laptop

Cameron Lewis | 30th September 2024


The NCSC has announced upcoming updates to the Cyber Essentials certification that could impact how organisations complete the self-assessment process. Although these changes won’t officially take effect until April 2025, we’re sharing the details now to help businesses prepare for any applications starting on or after April 28, 2025. The updated Cyber Essentials Requirements for IT Infrastructure document is available on the NCSC website.

Why Are Cyber Essentials Updates Necessary?

The government-approved Cyber Essentials scheme is designed to help organisations defend against the most common cyber attacks by implementing five essential technical controls. Earning a Cyber Essentials certification badge demonstrates to customers, investors, and partners that your organisation has met the government’s minimum cyber security standards, instilling confidence in your ability to protect sensitive data.

Given the fast-paced nature of cyber threats, regular reviews and updates are crucial to keep the certification relevant. For example, in January 2022, the scheme underwent a major overhaul in response to the accelerated digital transformation driven by the pandemic. As technology evolves, so must the Cyber Essentials requirements to ensure they remain effective in safeguarding organisations.

What’s Changing in April 2025?

The 2025 update to the Cyber Essentials Requirements for IT Infrastructure (version 3.2) includes minor changes, mostly affecting definitions.

  • Terminology Updates: The term ‘plugins’ has been updated to ‘extensions’ for greater clarity, and references to ‘home working’ now include ‘home and remote working’ to cover working in untrusted networks like cafes, hotels, and other shared spaces.

Embracing Passwordless Authentication

As passwordless authentication becomes more widespread, the Cyber Essentials scheme looks to incorporate this growing technology. While passwords have long been the standard for authentication, they are vulnerable to misuse and cyber attacks, which is why multi-factor authentication became mandatory in 2022.

True passwordless authentication using methods like digital certificates, cryptographic keys, or biometric data offers an even more secure way to authenticate users. This technology still relies on multiple factors but eliminates the need for traditional passwords, reducing the risk of security breaches.

Here are some common methods of passwordless authentication:

  • Biometric Authentication: Using fingerprints or facial recognition.
  • Security Keys or Tokens: Physical devices like USB keys or smart cards.
  • One-time Codes: Temporary codes sent via email, SMS, or apps.
  • Push Notifications: Approving or denying login attempts via a smartphone.

Passwordless authentication is now officially defined within Cyber Essentials as an authentication method that uses factors beyond user knowledge to verify identity.

Streamlined Vulnerability Fixes

Another update addresses the management of software vulnerabilities. Previously referred to as ‘patches and updates,’ this section has been broadened to ‘vulnerability fixes’ to reflect the variety of ways issues are addressed, including registry fixes, configuration changes, and vendor-provided scripts.

Vulnerability fixes are essential in maintaining security, and this change ensures that the updated requirements cover all possible methods for addressing vulnerabilities.

Future Changes to the Cyber Essentials Plus Test Specification

For organisations pursuing Cyber Essentials Plus certification, there are a few updates to the test specification aimed at making the assessment process clearer and more robust:

  • The term ‘illustrative’ has been removed from the title of the test specification.
  • The scope of the Cyber Essentials Plus assessment must match the Cyber Essentials self-assessment, with verification from the Assessor.
  • The Assessor will confirm that device sample sizes are calculated correctly using IASME's method.
  • Certification Bodies are now required to retain all verification evidence for the lifetime of the certificate.

These updates ensure that Cyber Essentials continues to provide a trusted and thorough framework for cyber security, keeping pace with the ever-evolving threat landscape.

Looking For Cyber Security?

Enquire about our comprehensive Cyber Security Services today.

Talk To UsOur Services

Related posts

Get the latest news and insights on cyber security.

Articles
3
min read

Managing AI Technology in A Way That Makes Your Clients Trust You – Part 1

The explosion of AI technology is taking the world by storm. However, there is a lot of apprehension around the amount of data it possesses, the confidentiality of the data and the potential impacts of the data. Here in comes ISO 42001:2023 – Artificial Intelligence Management System. This ISO Standard looks to ensure organisations are appropriately controlling their use or development of AI by taking in the potential “Impacts” the AI technology could have.
Read more
Blog
3
min read

What Makes 3CT Security The Preferred Choice for Attaining Cyber Essentials?

In today's competitive market, selecting the right partner for your business’s information security needs is crucial and with multiple consultancies out there, customers have more choice than ever before.
Read more
Blog
2
min read

How to Obtain Cyber Essentials Certification

Have you ever wondered what's involved in the process of obtaining Cyber Essentials Certification? The process is quick and simple and involves three easy steps, which we've detailed in this blog.
Read more
Blog
4
min read

How Cyber Essentials Can Power You To New Growth

As you know, Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, against a range of the most common cyber-attacks.
Read more
Case Studies
5
min read

Code Software Achieves ISO 27001 with 3CT Security

"We knew we needed to consult experts in the field to help solve this potential challenge in the most efficient way with minimal impact on the day to day running of the company." Mark Armstrong, CEO | Code Software
Read more
Blog
2
min read

Empowering Tomorrow: The Rise of 3CT Security

Three years ago, Cameron Lewis and Thomas Dold recognised the pressing need for cyber security services and embarked on a journey to establish 3CT Security.
Read more
Partnership
4
min read

3CT Security & Validato Forge Strategic Partnership

3CT Security are excited to announce our strategic partnership with Validato, a leading provider of security control validation technology.
Read more
Blog
5
min read

Understanding Cyber Essentials Certification

Cyber Essentials, a government-backed scheme, provides a framework to help organizations protect themselves against common online threats. But who exactly needs this certification, and who actively uses it? Let’s dive in
Read more
View all