Upcoming Changes to Cyber Essentials and Cyber Essentials Plus – April 2025 Update
As part of our commitment to keeping our clients informed and secure, we want to highlight the forthcoming updates to the Cyber Essentials and Cyber Essentials Plus schemes, effective from 28 April 2025.
These changes (while remaining mostly minor) are essential for those looking to maintain compliance and enhance their organisation's cybersecurity posture.
What is Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against the most common cyber threats. It outlines a clear set of basic security controls that businesses should have in place, such as secure configuration, access control, malware protection, patch management, and firewalls.
Cyber Essentials Plus includes all the same requirements but with the added assurance of an independent assessment. It involves hands-on technical verification by a certified auditor, offering a higher level of confidence that your systems are effectively protected.
Together, these certifications provide a solid foundation for cybersecurity and demonstrate that your business takes digital risk seriously. As a point of pride - and to also show our commitment to everyone we work with - we've been Cyber Essentials Plus certified every year since 2018.
Why Your Business Needs Cyber Essentials
Cyber Essentials isn't just a badge - it's a practical, affordable framework to reduce cyber risk and boost customer confidence.
Here's why it matters:
Protects against 80% of common attacks: Most cyberattacks exploit basic vulnerabilities. Cyber Essentials helps eliminate those gaps.
Builds trust with clients and stakeholders: Certification shows you take cybersecurity seriously — especially important in supply chains and regulated sectors.
Meets government and industry requirements: Many public sector contracts now require Cyber Essentials as a minimum standard.
Supports cyber insurance: Some insurers view certification as a sign of reduced risk, which may impact premiums or eligibility.
Improves internal awareness and accountability: The certification process often highlights overlooked risks and sharpens internal security practices.
What’s changing in April 2025?
1. Terminology Updates
"Plugins" will become "Extensions": The term "plugins" is being replaced with "extensions" to better reflect the terminology commonly used across browsers and modern applications.
"Home Working" will change to "Home and Remote Working": The updated wording reflects a wider range of working environments that your staff may find themselves remoting in from, including coffee shops, hotels, and co-working spaces. Or, in shorter terms, anywhere beyond just the home or office.
2. Passwordless Authentication Now Accepted
Cyber Essentials will now formally recognise passwordless authentication as a valid method of user access control. Thisis a significant step forward in supporting secure login methods that reduce reliance on traditional passwords.
Accepted methods include:
Biometric authentication – such as facial recognition or fingerprints
Security keys or tokens – e.g., USB keys or smart cards
One-time codes – sent via email, SMS, or authenticator apps
Push notifications – where users confirm access attempts on their devices
The scheme aligns better with modern security standards by broadening the scope of acceptable authentication practices.
3. Broader Definition of Vulnerability Fixes
The phrase "patches and updates" will be replaced by the more inclusive term "vulnerability fixes". This change ensures that all vendor-approved methods for fixing known vulnerabilities are recognised - it's not just traditional software updates.
This includes:
Registry changes
Configuration adjustments
Vendor-supplied scripts
Organisations will need to show that they effectively applied such fixes within 14 days of discovering any high-risk vulnerabilities.
4. Cyber Essentials Plus – Updates to Test Specification
Several key updates have been made to the Cyber Essentials Plus testing process to strengthen assurance and clarify expectations for assessors and applicants:
Scope verification: Assessors must verify that the scope of assessment aligns with the Cyber Essentials self-assessment submission.
Network segregation: If only part of the organisation is in scope, assessors must confirm that the in-scope environment is appropriately segregated from out-of-scope systems.
Device sample sizing: The sample size for device testing must be calculated using IASME's approved methodology.
Evidence retention: Certification bodies must retain all supporting evidence for the certificate's lifetime.
Preparing for the Changes
These updates are necessary to reflect the evolving threat landscape and are intended to future-proof the Cyber Essentials scheme. By the time you're reading this, the changes will be in place, so organisations should start by adhering to the following steps:
Reviewing password policies and considering passwordless alternatives
Updating remote working practices to ensure complete coverage
Re-evaluating how vulnerability fixes are applied and documented
Aligning your internal processes with Cyber Essentials Plus assessment criteria
How Fifosys Can Support You
At Fifosys, we provide tailored cybersecurity support to help businesses not only meet compliance standards and build robust, long-term cyber resilience.
Our team stays ahead of regulatory changes, so you don't have to.
Whether you need help with certification, implementing secure remote work practices, or reviewing your endpoint management strategy, we're here to help.