Proudly Accredited for 2025: Cyber Essentials Plus 2025
We’re delighted to report that we’ve once again achieved Cyber Essentials Plus certification, which we've consistently held since 2018. For us, this milestone is more than just a renewal, as it reflects a core principle of never standing still. Especially when it comes to cybersecurity.
Each recertification is an opportunity to prove that we’re not only meeting today’s requirements but anticipating tomorrow’s. It’s how we fulfil the promise we make to every client: robust, evolving protection backed by a culture of continuous improvement.
The Cyber Essentials scheme evolves each year in response to new threats and working practices, and we see that as a chance to raise our own bar. Holding Cyber Essentials Plus year after year demonstrates not only compliance, but leadership — staying ahead of emerging risks, protecting our clients, and setting a standard our team can be proud of.
From our previous blog…
As we outlined in our April 2025 Cyber Essentials update, the key changes include:
The term “plugins” has been replaced by “extensions”, a clearer, more modern term for browser and application add-ons.
“Home working” has been replaced with “home and remote working”, acknowledging that employees now access systems from cafés, hotels, trains, and co-working spaces.
Passwordless authentication is now formally accepted, opening the door to biometrics, security tokens, one-time codes, and push-based logins.
The definition of “vulnerability fixes” is broader than before, now including registry changes, configuration updates, vendor-supplied scripts, alongside traditional patches.
The Cyber Essentials Plus testing specification now includes more explicit requirements around scope validation, network segregation, and sample-size methodology.
These changes reflect a scheme that’s adapting to modern working styles and tightening its technical rigour.
Confirmed Official Updates
We’ve cross-checked these details with IASME and the official v3.2 scheme documents:
IASME confirms that the April 2025 update (version 3.2) is largely a definitions refresh, with terminology changes from “plugins” to “extensions” and “home working” to “home and remote working.” It also formally includes passwordless authentication and redefines vulnerability fixes to include configuration and registry changes, scripts, and patches.
The NCSC v3.2 Requirements document, effective from April 2025, aligns with this and includes all those definitions — covering extensions, passwordless authentication, broader vulnerability fixes, scope definitions, and testing methodology.
Independent commentary (e.g. from NCC Group) highlights that as of 28 April 2025, the scheme (the “Willow” version) enforces stronger measures — including a 14-day requirement to remediate high- or critical-risk vulnerabilities, and added protections for remote work and authentication.
What We Saw in the 2025 Audit
One clear difference this year was the depth of the assessment. While the Cyber Essentials Plus process has always been rigorous, under the April 2025 scheme we found auditors were (rightly) digging deeper into a few specific areas:
Remediation timeframes: The new 14-day requirement for fixing high- or critical-risk vulnerabilities was a central focus. Assessors wanted clear evidence that patches and other approved fixes were applied within this tighter window.
Scope and segregation: There was sharper scrutiny around what was included in scope and how subsets (such as VLANs or separate networks) were segregated. Evidence had to demonstrate this clearly.
Sampling: Device sampling couldn’t just be assumed adequate. Auditors checked that the sample size was representative and properly documented.
This deeper approach reflects the scheme’s updated requirements and puts a greater emphasis on accountability and evidence rather than just process.
James’ Perspective
These updates clearly signal that Cyber Essentials is keeping pace with a rapidly evolving threat landscape. And that’s a great thing.
The formal recognition of passwordless authentication shows that the scheme aligns with the industry's move beyond passwords, which are no longer sufficient in isolation. And honestly? That’s not new news, or something I’ve only recently thought. (As anyone who has attended one of our cyber roundtables can attest to)
The stricter remediation window highlights that resilience is not about patching eventually, but proving you can respond at speed.
The broadened definition of fixes and tighter scoping rules underline that attackers exploit more than just software gaps. They target weak processes, misconfigurations, and human oversight, too. We’ve seen very notable examples of this in recent attacks, such as the Easter 2025 attack on M&S.
For us, these aren’t just compliance hurdles or tick box exercises. They mirror the practices we’re already embedding for clients: enabling modern authentication, enforcing faster patch cycles, and designing secure, segmented networks that can withstand attack.
And finally, a well done (and thank you!) to all the team at Fifosys for doing their part, helping out and continuously adhering to the principles that helped us pass this year!
Final Thoughts
The April 2025 Cyber Essentials Plus update brought practical enhancements around terminology, authentication options, remediation windows, and testing methodology. These are real, documented improvements to keep the framework tight, clear, and fit for modern environments.
For our clients, this means more than reassurance on a certificate - it’s proof that their IT partner is working to the very latest standards, with controls that anticipate future risks rather than chase them.
As threats evolve, frameworks like Cyber Essentials Plus will continue to tighten, and our commitment is to do the same. We’re never standing still, always raising the bar.
If you'd like to explore any area further, such as how to document scope and sampling effectively or steps toward passwordless rollouts, don’t hesitate to get in touch with the team.