Upcoming Changes to Cyber Essentials and Cyber Essentials Plus in the April 2025 Update
The Government approved Cyber Essentials scheme, designed to bolster cyber security across organisations of all sizes, is set to receive an update. This scheme helps businesses demonstrate their commitment to essential cyber security standards. Achieving a Cyber Essentials certification not only assures customers and partners of an organisation's adherence to these standards but also signifies a trustworthy approach to data and business protection.
Since 2020, the Cyber Essentials scheme has seen the release of three updated versions, with the latest being version 3.1 published in April 2023. The National Cyber Security Centre (NCSC) and IASME regularly review and update the scheme to ensure its relevance and effectiveness. The updated Cyber Essentials version 3.2 will officially come into effect in April 2025. The release of version 3.2 and its associated updates reflects the commitment to refining and enhancing cyber security practices for businesses.
Key changes in the upcoming version 3.2 include:
Software Terminology Update:
• 'Plugins' will be changed to 'extensions' for more accurate terminology.
Remote Working Update:
• 'Home working' will be updated to 'home and remote working', acknowledging the use of untrusted networks (e.g., cafes, hotels) beyond home environments.
Passwordless Authentication:
• Cyber Essentials will address passwordless technology, which eliminates the need for passwords altogether.
• It will be defined similarly to multi-factor authentication: “Passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity.”
• Common methods include:
- Biometric authentication (e.g., fingerprints, facial recognition).
- Security keys or tokens (e.g., USB security keys, smart cards).
- One-time codes (e.g., codes sent via email, SMS, or apps).
- Push notifications (e.g., login approval requests on smartphones).
Vulnerability Fixes Terminology Update:
• The term ‘patches and updates’ will be replaced by ‘vulnerability fixes’ as a broader term to encompass patches, updates, registry fixes, configuration changes, scripts, and other mechanisms approved by vendors to resolve vulnerabilities.
• The security update management section will reflect this terminology change, and all vulnerability fixes will be clearly defined.
Cyber Essentials Plus Test Specification Document Changes:
• The word 'illustrative' will be dropped from the name of the document.
• The scope of the Cyber Essentials Plus assessment must match the Cyber Essentials self-assessment and be verified by the Assessor.
• For non-'whole organisation' scopes, Assessors must verify that any sub-sets are properly segregated.
• Assessors must ensure the device sample size is calculated correctly using IASME's method.
• Certification Bodies must retain all verification evidence for the certificate's lifetime.
Organisations that initiate assessments before the April 2025 transition will continue to operate under version 3.1. This includes any assessment accounts created before the transition date.
For organisations preparing for the new requirements, understanding these updates will be essential to maintaining certification and ensuring robust cyber security measures. Keep your eyes peeled for further updates and guidance on the upcoming 3.2 version.