Stay Ahead of Cyber Threats: Get Ready for the 2025 Cyber Essentials Updates
The NCSC has announced upcoming updates to the Cyber Essentials certification that could impact how organisations complete the self-assessment process. Although these changes won’t officially take effect until April 2025, we’re sharing the details now to help businesses prepare for any applications starting on or after April 28, 2025.
Cameron Lewis | 30th September 2024
The NCSC has announced upcoming updates to the Cyber Essentials certification that could impact how organisations complete the self-assessment process. Although these changes won’t officially take effect until April 2025, we’re sharing the details now to help businesses prepare for any applications starting on or after April 28, 2025. The updated Cyber Essentials Requirements for IT Infrastructure document is available on the NCSC website.
Why Are Cyber Essentials Updates Necessary?
The government-approved Cyber Essentials scheme is designed to help organisations defend against the most common cyber attacks by implementing five essential technical controls. Earning a Cyber Essentials certification badge demonstrates to customers, investors, and partners that your organisation has met the government’s minimum cyber security standards, instilling confidence in your ability to protect sensitive data.
Given the fast-paced nature of cyber threats, regular reviews and updates are crucial to keep the certification relevant. For example, in January 2022, the scheme underwent a major overhaul in response to the accelerated digital transformation driven by the pandemic. As technology evolves, so must the Cyber Essentials requirements to ensure they remain effective in safeguarding organisations.
What’s Changing in April 2025?
The 2025 update to the Cyber Essentials Requirements for IT Infrastructure (version 3.2) includes minor changes, mostly affecting definitions.
- Terminology Updates: The term ‘plugins’ has been updated to ‘extensions’ for greater clarity, and references to ‘home working’ now include ‘home and remote working’ to cover working in untrusted networks like cafes, hotels, and other shared spaces.
Embracing Passwordless Authentication
As passwordless authentication becomes more widespread, the Cyber Essentials scheme looks to incorporate this growing technology. While passwords have long been the standard for authentication, they are vulnerable to misuse and cyber attacks, which is why multi-factor authentication became mandatory in 2022.
True passwordless authentication using methods like digital certificates, cryptographic keys, or biometric data offers an even more secure way to authenticate users. This technology still relies on multiple factors but eliminates the need for traditional passwords, reducing the risk of security breaches.
Here are some common methods of passwordless authentication:
- Biometric Authentication: Using fingerprints or facial recognition.
- Security Keys or Tokens: Physical devices like USB keys or smart cards.
- One-time Codes: Temporary codes sent via email, SMS, or apps.
- Push Notifications: Approving or denying login attempts via a smartphone.
Passwordless authentication is now officially defined within Cyber Essentials as an authentication method that uses factors beyond user knowledge to verify identity.
Streamlined Vulnerability Fixes
Another update addresses the management of software vulnerabilities. Previously referred to as ‘patches and updates,’ this section has been broadened to ‘vulnerability fixes’ to reflect the variety of ways issues are addressed, including registry fixes, configuration changes, and vendor-provided scripts.
Vulnerability fixes are essential in maintaining security, and this change ensures that the updated requirements cover all possible methods for addressing vulnerabilities.
Future Changes to the Cyber Essentials Plus Test Specification
For organisations pursuing Cyber Essentials Plus certification, there are a few updates to the test specification aimed at making the assessment process clearer and more robust:
- The term ‘illustrative’ has been removed from the title of the test specification.
- The scope of the Cyber Essentials Plus assessment must match the Cyber Essentials self-assessment, with verification from the Assessor.
- The Assessor will confirm that device sample sizes are calculated correctly using IASME's method.
- Certification Bodies are now required to retain all verification evidence for the lifetime of the certificate.
These updates ensure that Cyber Essentials continues to provide a trusted and thorough framework for cyber security, keeping pace with the ever-evolving threat landscape.
Looking For Cyber Security?
Enquire about our comprehensive Cyber Security Services today.