Changes to Cyber Essentials in 2025

The UK Cyber Essentials Scheme, which is ran by the National Cyber Security Centre and IASME have now confirmed the latest changes that will come to the scheme in 2025.

The scheme now regularly undergoes a refresh to stay current and ensure that the security of businesses which achieve certification are kept in check and that the latest technology is kept in mind. The time has come for a new update, this update will be released or will go live on the 28^th April 2025.

Until this time if you are going for your first certification or renewing your existing certificate you will be assessed by the current Montpellier question set.

Along with the scheme changes, that we will discuss in this blog article, there are some updates to reference documents which you will also need to review to ensure compliance, these are as follows:

• Cyber Essentials Requirements
• Cyber Essentials Plus Test specification (mainly used for assessors)
• Cyber Essentials question set

So what will change from the 28^th April 2025? Well, you’ll be glad to know there are not huge sweeping changes, but mainly small and minor changes and changes to definitions which are used in the scheme and associated documents. These changes are aimed at making the understanding and compliance of the scheme easier for businesses.

Software

The first change is that the software section of the scheme and associated documents, that the term ‘plugins’ is now changed to ‘extensions’ as this can encompass a wider area when it comes to software. So, this could also include browser plugins.

Home & remote working

When it comes to talking about ‘home working’ in the scheme, this has now been changed to ‘home and remote working’ as it now fits better with the current work trend. This new terminology now includes the fact that people work remotely and should also be included in the scheme, and it’s not just limited to people which work from home.  This remote reference now ensures that people who are working remotely in cafes, abroad and such as also to be included in the assessment.

Authentication

Another area which has been looked at and updated is the authentication section, this section now considers passwordless authentication to systems and services. The scheme now understands that people are making use of this new way of authenticating against systems and now, if you use passwordless login, you can select this option in the new version.

The passwordless options are to be defined in the scheme as the same way as multifactor authentication, in that the technology is an authentication method to allow authentication that the end user knows.

The same four methods of multi-factor authentication will remain the same as previous versions.

Vulnerabilities

The next section, vulnerability fixes, will in my opinion, but the biggest area that will affect people. Firstly the Software Update Management section, now includes information about what fixes means and gives the end user more information about what is required of them.

Previously when it came to security vulnerabilities and the Cyber Essentials Scheme, you had to patch high and critical security updates that had a CVSS score of 7 or above, which didn’t include the need to perform configuration changes in the registry, configuration files and so forth. However, in the new version, if you have any vulnerabilities which have been identified via scanning, you will need to perform whatever is required to ensure compliance, so you may have to perform configuration file changes, registry changes, or numerous other changes, which have been defined by the vendor who has released a security update.

As thats about it, so as you can see there are not huge changes, but there are some areas that will likely affect you from 2025 onwards. If you would like to achieve Cyber Essentials or have any questions about the scheme don’t hesitate to get in touch with us.