Cyber Essentials: Changes coming for 2026 refresh
The Cyber Essentials scheme regularly goes through revisions, more recently this has become an annual update to stay currently with the industry and emerging threats. Updates are generally released around April time, with this next update being no different.
IASME and the National Cyber Security Centre (NCSC) give applicants around six months’ notice of any updates which are being released to ensure there is enough time to comply with the changes.
Any new Cyber Essentials certificates which are created on the date of release or afterwards will be on the new question set. You’ll be able to review the new question set, when released, by checking the IASME website which can be found here: https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions
What are the upcoming changes?
Multi-factor authentication: For any cloud-based systems that support the use of multi-factor authentication, whether it’s implemented as part of the system, or is an additional add-on, whether free or requires purchasing, must be enabled. Otherwise, this will be a failure of the assessment.
A new definition added: Cloud services has been added to the IT Requirements document for Cyber Essentials; this definition defines what the cloud is and includes a statement stating that cloud services cannot be excluded from any scoping requirements for certification.
Scoping changes: Moving forward from 2026, you will have to justify the reasoning why you have excluded any infrastructure from the certification scope.
Rewording of some questions: Some questions have been slightly reworded around the bases about inbound and outbound untrusted connections. The “untrusted” has now been removed from these questions.
Further guidance: The further guidance about backing up has been moved from the back of the Cyber Essentials Requirements for IT Infrastructure document, to earlier in the document. This is to raise awareness of the importance of backing up date.
For more information and to stay up to date with the latest release of Cyber Essentials, ensure you keep an eye on the IASME website.