Upcoming changes to Cyber Essentials in April 2025 and their potential impact
The Cyber Essentials scheme is set for its first major update since April 2023. The forthcoming revision, designated as version 3.2, will take effect from April 28th, 2025.
Consequently, all assessments conducted post this date will adhere to the new requirements and will be evaluated based on a refreshed question set named "Willow".
Since its inception in 2017, Cyber Essentials has undergone significant transformations, and the changes in 2025 reaffirm the scheme’s commitment to keeping pace with evolving cyber threats. This ensures that participants in the scheme are encouraged to continuously enhance their cybersecurity measures.
Both the standard versions—Cyber Essentials and Cyber Essentials Plus—are set to be updated. These updates will encompass new requirements for Cyber Essentials and modified test specifications for Cyber Essentials Plus.
In this blog, we will present a side-by-side comparison of the current and revised requirements documents, so you can easily assess how the updates might affect your organisation’s path to compliance starting April 2025. Additionally, we'll provide insights into best practices to prepare for these changes and share our general thoughts about the updates.
Both the standard versions—Cyber Essentials and Cyber Essentials Plus—are set to be updated. These updates will encompass new requirements for Cyber Essentials and modified test specifications for Cyber Essentials Plus. In this blog post, we will delve into these changes and provide insights to help you ascertain how they might affect you.
Updates to Cyber Essentials IT Infrastructure Requirements (v3.2):
The upcoming release from the National Cyber Security Centre (NCSC), which oversees the requirements for Cyber Essentials, features an updated document but does not introduce new technical controls. The core themes of the controls remain consistent:
- Firewalls
- Secure Configuration
- Security Update Management
- User Access Control
- Malware Protection
These five thematic pillars of Cyber Essentials allow organisations to evaluate their existing technical controls, policies, and procedures. The aim is to make any necessary adjustments to align with Cyber Essentials' requirements. While the requirements are foundational, they are in line with industry best practices for maintaining a secure environment. It is widely acknowledged that proper implementation of these controls can reduce the likelihood of a cyber-attack significantly. An impact evaluation on the effectiveness by Such et al (2015) found that by implementing Cyber Essentials, 99% of internet-originating vulnerabilities could be mitigated using the technical controls and none mitigated without them. (Further information can be found on gov.uk in the section: Key findings.) Furthermore, embracing these standards fosters a culture of security within organisations, emphasising the continuous enhancement of security measures.
Comparison of the changes
Key:
Minor: a light update to wording including definitions and or modification to a technical control that doesn’t highly impact most organisations
Major: a heavy update to wording or a control theme and or modification to a technical control that may impact organisation’s ability to achieve certification
| Change: | Passwordless guidance added to User Access Control and Passwordless definition and description added |
| Rating: | Minor |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| Password based requirements allowed for 8-character passwords with either multi-factor authentication or automatic blocking of common passwords, if neither used a 12-character password is required. Other solutions such as IP whitelisting is accepted, and applicants are given the ability to describe their control if none of the official controls applied | Passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity. Examples include but are not limited to; biometric data, physical devices, one-time codes, QR codes, and push notifications | A subtle yet significant update enhances the integration of modern and robust technical controls surrounding user access. Transitioning to passwordless systems offers a higher security level compared to traditional password-based methods. This is because passwordless systems use more sophisticated authentication techniques that are tougher to breach. Rather than relying on static passwords—which are vulnerable to theft, guessing, or reuse on multiple sites—passwordless systems employ factors such as biometrics (e.g., fingerprint or facial recognition), hardware tokens, or one-time codes delivered to a trusted device. We appreciate how the NCSC has provided clear and precise definitions, aiding organisations in gearing up for the forthcoming changes. This clarity will facilitate organisations in assessing whether their current passwordless systems are already in compliance or if modifications are necessary to meet the new standards. |
| Change: | Software definition updated |
| Rating: | Minor |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| Software: includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware. | Software: includes operating systems, commercial off-the-shelf applications, extensions, interpreters, scripts, libraries, network software and firewall and router firmware. | A subtle amendment has been made to the terminology, replacing "plugins" with "extensions." This alteration could introduce a bit of confusion, as the terms "plugins" and "extensions" are often thought to be synonymous but do have distinct meanings. Typically, plugins are used to enhance or add specific functionalities within a software application, often dependent on external code or frameworks. On the other hand, extensions are usually employed to add features or customisation options to web browsers such as Chrome, Firefox, or Edge. Currently, without further clarification from the NCSC or IASME, it seems reasonable to deduce that browser extensions are now considered within scope. This interpretation suggests that wherever the term "software" is used within a requirement, extensions should also be taken into account. For instance, requirement 3 on "security update management", which states “ensure that devices and software are not vulnerable to known security issues for which fixes are available,” would now implicitly include browser extensions under the definition of "software" that needs regular updating. |
| Change: | Vulnerability fix definition added and update to security update management control to include vulnerabilities that are fixed by manual configuration only |
| Rating: | Major |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| Didn’t exist | Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability. | The first significant update pertains to requirement 3, “security update management,” and it considerably broadens its scope. Previously, this requirement mandated organisations to patch critical and high vulnerabilities as classified by the CVSSv3 base scoring system if an update/patch had been available for more than 14 days. The revised requirement now also encompasses similar scored vulnerabilities that are not addressed through traditional patches or updates but are resolved through other methods such as registry fixes, configuration changes, scripts, or any other mechanisms approved by the vendor to rectify a known vulnerability. A relevant example includes the widely-recognised "winverifytrust signature validation" vulnerability, which necessitated modifications to the Windows Registry to rectify the issue. In a Cyber Essentials Plus (CE+) audit, this would typically be treated as an advisory, and though we would urge the applicant to address the issue owing to its direct impact on device security, failure to resolve it wouldn’t necessarily result in failing the audit. This enhancement to the requirements is a positive development, as misconfigurations scored as critical or high can considerably weaken an organisation's security posture. Prior to this change, focusing solely on patching left gaps in an organisation’s defences. This revision ensures more robust defences and upholds the integrity of the Cyber Essentials scheme. Applicants are encouraged to begin preparations by conducting authenticated vulnerability scans on in-scope end user devices and servers continuously. Moreover, they should establish robust processes to address any identified critical and high vulnerabilities within a 14-day timeframe, thereby strengthening their security measures and compliance with updated standards. |
| Change: | References to ‘home working’ changed to ‘home and remote working’ |
| Rating: | Minor |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| Home working | Where home working was referenced in the document this has been changed to ‘home and remote working’. | A minor update has been made to be more inclusive of home and remote workers. This change ensures that applicants recognize that not only office-based employees but also home workers, travelling employees, on-site staff, and their respective devices fall within the scope of the requirements. This also extends to Bring Your Own Device (BYOD) policies if those personal devices are used to access work-related data or organizational services. This adjustment reinforces the importance of securing all endpoints that interact with corporate assets, regardless of location. |
Updates to the Cyber Essentials Plus Test Specification v3.2, April 2025
The NCSC has issued another updated document; however, the vast majority of test cases remain unchanged with no new test cases introduced. Despite this, significant alterations in the requirements document have directly influenced test case 2, and additional activities have been incorporated into the audit to verify the scope. Below is a breakdown of the test cases:
- Test Case 1: Remote vulnerability assessment
- Test Case 2: Check patching through authenticated vulnerability scanning of devices (updated)
- Test Case 3: Check malware protection
- Test Case 4: Check multi-factor authentication configuration
- Test Case 5: Check account separation
Cyber Essentials Plus continues to represent the highest level of achievement for scheme applicants, widely acknowledged for its prestigious recognition by the Crown Commercial Supply chain and increasingly required by various sectors for direct collaboration. This certification offers numerous security benefits as it physically tests the controls declared in the self-assessment to ensure they are properly configured to protect organizations from low-skill cyber attacks.
It's worth noting that while low-skilled attackers might not seem like a significant threat, they often target smaller organizations seeking vulnerabilities due to weak patching processes or configuration errors— essentially looking for low hanging fruit. Smaller organizations are particularly vulnerable as they might not have stringent security practices in place. Cyber Essentials Plus provides an effective hands-on approach to evaluating your technical controls in a simulated cyber attack within a controlled environment. It’s always preferable to identify and rectify issues during a simulation rather than experiencing actual breaches, which could lead to significant losses.
Now that we've covered the introduction to CE+, let's delve into the specific changes to the tests that will be conducted from April 2025.
| Change: | Verification of scope |
| Rating: | Major |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| Didn’t exist | Verified that the scope of the Cyber Essentials Plus assessment matches the scope described by the valid Cyber Essentials self-assessment certificate Verified by technical means that the scope of the Cyber Essentials Plus assessment matches the networks and systems being assessed | A major change to the standard (not the testing) but an additional activity that will be performed as part of the audit. The assessor is now tasked at ensuring the scope of the CE+ audit matches what was provided on the self-assessment. Without any official guidance from IASME we are simply making assumptions here on how this will be performed, such as reviewing asset management systems such as Intune for device quantity and operating systems in use, any discrepancies may introduce what’s know as “scope creep” which means newly discovered devices or changes to the quantities provides may increase the sample size and require additional testing time. In preparation for this Claranet advises applicants to export asset registers from there management systems and upload these to the self-assessment, this way both parties have more assurance that there will be a lower chance of finding issues when the physical review of the management system is performed. For the latter update the wording “by technical means” is used, here we can assume that the assessor will be tasked to verify that the networks and systems being assessed are true to the information that was provided to scope the engagement, this almost sounds close to the kind of activity that is performed during an internal penetration test where the tester will run network scans to determine visibility of networks and connected to systems, this may require the assessor to deploy a virtual machine into the applicants network to perform such tests, but at this point we don’t have any official guidance on the way this test will actually be performed. We recommend that applicants begin reviewing their networks for “Shadow IT” that could potentially be discovered by the assessor during a real audit, if any originations are potentially worried about the impact of these additional tests Claranet recommends a discussion with one of our trained assessors and potentially a targeted gap analysis months before the renewal date. This change provides additional integrity protection to the scheme and should help applicants identify any issues with asset management which is the fundamentals of cyber security as you cannot protect what you don’t have visibility over. Testing guidelines are usually provided closer to the release and Claranet should have updated methodologies for applicants to review before testing commences. |
| Change: | Verification of segregation by sub-set |
| Rating: | Major |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| Didn’t exist | Verified by technical means that when the Cyber Essentials self-assessment scope is not ‘Whole Organisation’, any sub-sets have been segregated effectively | Another major change that doesn’t directly affect the test cases but a task that the assessor will need to perform with applicants that are not including their whole organisation in the scope of the assessment. Applicants that de-scope networks using VLAN configuration or boundary firewall will now be subject to test to verify that the segmentation is actually in place. Again without any additional guidance from the delivery partner IASME, we are just making assumptions on how this will be checked. We foresee this either being a manual review of the configuration via the admin console for firewall or switches being used to enforce the separation and could possibly include a physical test such as running an Nmap scan from both sides of the networks, any access controls lists may be reviewed where applicants are allowing certain traffic to cross between the border to ensure this is configured correctly, scanning could also occur to test the ability to connect to the devices that are whitelisted. This welcome change again provides additional integrity to the scheme and should provide value to applicants by having their network segmentation controls reviewed by a security professional. If applicants have any concerns with this new test, we recommend a review using internal resource or external to ensure the configuration is compliant before your audit, remediate if any issues are identified these may need to be remediated and applicants have 30 days only to perform this and re-test. |
| Change: | Verification of sampling |
| Rating: | Minor |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| Didn’t exist | The Assessor must verify that the sample size has been calculated correctly using the method described by the Delivery Partner. Evidence of how the sample size was calculated must be retained by the Certifying Body for at least the lifetime of the certificate | In our opinion this is a welcome but minor change to the testing activities and could be attached to checking that the scope of the Cyber Essentials Plus assessment matches the scope described by the valid Cyber Essentials self-assessment certificate. While waiting for official guidance on how this test will be performed, we can make an assumption that this will be a review of the applicant’s asset management systems to ensure the sample size has been calculated correctly based of the total number of assets enrolled into the system. |
| Change: | Sub-test 2.1, wording change that now incorporates additional testing |
| Rating: | Major |
| Old Requirement / Definition | New Requirement / Definition | Claranet's View |
| If there are any vulnerabilities which meet the above criteria, and for which the vendor provided patch has been available for more than 14 days prior to testing, record a Fail result for the sub-test. Otherwise, record a Pass result. | If there are any vulnerabilities which meet the above criteria, and the vendor has provided a vulnerability fix which has been available for more than 14 days, record a Fail result for the sub-test. | As discussed in the changes to the requirements document this update to include the definition of vulnerability fix now incorporates the following vulnerabilities if discovered during the authenticated check of patching: Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability. Previously, this was an advisory for certain misconfigurations that required configuration changes to resolve the vulnerability, this will now become in-scope and applicants will be required to resolve all critical and high vulnerabilities identify as part of the scan if the vendor has provided a vulnerability fix. We advise that applicants begin reviewing vulnerability scan reports for these types of issues. If vulnerability scanning is not currently occurring, organisations should look to integrate a suitable scanner, either one managed by the applicant or using a third-party, when selecting a scanner they should be chosen from the PCI ASV (Approved Scanner List) such as Tenable or Qualys. |
We welcome these changes as they promote continuous improvement of security and validation that protects the integrity of the Cyber Essentials scheme. To be honest, the updates are long overdue.
Meeting Cyber Essentials Plus requirements can seem costly and time-consuming if you have no policies or controls already in place for that area. As with all things in cybersecurity, prevention is better than cure. And the cost of prevention (implementing technical controls, policies, processes and training) is ultimately lower than the cost of cure i.e., repairing the damage caused by a cyber-attack and coughing up the cost of hefty fines from regulators.
Claranet continues to support many customers including larger organisations that may struggle to meet the requirements and can also help you as well, with trained, experienced security consultants including pentesters qualified to deliver the scheme your in trusted hands, our assessor always go above and beyond and treat Cyber Essentials as an exercise to secure your environment and improve your controls, not an audit! We provide a supportive guided journey to compliance and look to build long lasting relationships and help organisations achieve their goals and commitments to security.
At Claranet, we enable organisations to demonstrate their security posture and their resilience against cyber threats, so they can meet their auditing and compliance requirements and provide assurances to their key stakeholders that they are meeting widely-accepted security standards.
Contact us to get a roadmap for minimising cyber security risks to your business, with through training, audits and assessments.
