General information about the scheme
What changes are included in the April 2025 update
Cyber Essentials – key changes:
- Remote working: The term “home working” has been updated to “home and remote working”, acknowledging a wider range of untrusted environments such as cafés, hotels and public spaces.
- Passwordless authentication: The certification now supports passwordless authentication methods, including biometric systems, security keys, one-time codes, QR codes and push notifications.
- Vulnerability management: The section on security updates now includes configuration and registry changes, not just software patches.
- Least privilege access: Emphasis on least privilege access ensures employees have only the necessary permissions to perform their tasks.
Cyber Essentials Plus – key changes:
- Scope and subset verification: Assessors will need to verify by technical means that the scope of the Cyber Essentials Plus testing matches the scope in the self-assessment certificate. Assessors must verify by technical means that networks and systems assessed for Cyber Essentials Plus are accurate and match those stated by the applicant in the Cyber Essentials self-assessment questionnaire. If the scope is not the whole organisation, the assessor must verify by technical means that the subsets have been segregated effectively. This may involve inspecting firewall or router ACLs (access control lists), or performing network scans between VLANs, subnets or zones to ensure proper segmentation.
- Vulnerability fixes: All vulnerabilities discovered that are rated critical or high (7.0–10.0) on the CVSSv3 scoring standard must be fixed if there is a fix available. This includes configuration changes, registry keys, scripts, or any other mechanism that is offered by the vendor or other resources to fix the known vulnerability. Note that GRC Solutions has always used this approach, but other certification bodies may have only looked for patches and updates, not the full range of possible fixes.
- Sampling requirements: Assessors are required to carry out random sampling, selecting a representative sample from all the in-scope devices. For example, if 70 Windows 11 Professional devices are in scope, the assessor must decide which devices should be selected to make up the sample to give a fair representation of the entire scope. The April 2025 update requires the assessor to select the sample no earlier than 72 hours before carrying out the test. If a machine selected for sampling is not available, the assessor will need to select a different machine.
What is Cyber Essentials
Cyber Essentials is the UK government’s basic standard for cyber security, suitable for organisations of all sizes. This cost-effective and annually renewable certification aligns with five key technical controls to combat common Internet-based threats.
Why should we get a Cyber Essentials certificate
- Protection against cyber attacks: Implementing five basic security controls helps protect against approximately 80% of common cyber attacks. Department for Science, Innovation & Technologies Cyber Essentials impact evaluation October 2024.
- Business opportunities: Certification can help attract new business and satisfy public-sector and government contract requirements.
- Supply chain assurance: Independent verification of your security posture provides assurance to larger organisations managing third-party risks.
- Cyber liability insurance: UK organisations with a turnover under £20 million and a certification scope covering the whole organisation can opt-in for cyber liability insurance.
What is required for Cyber Essentials certification
Organisations must complete the IASME SAQ (self-assessment questionnaire), verified and signed off by a board member or equivalent signatory. The SAQ is then independently verified by a licensed certification body.
What is required for Cyber Essentials Plus certification?
Cyber Essentials Plus includes a technical audit of the systems in scope, a remote or on-site assessment, internal vulnerability scans, and an external vulnerability scan conducted by the certification body.
Who conducts the assessments for Cyber Essentials and Cyber Essentials Plus?
Only certification bodies trained and licensed by IASME can undertake assessments and issue certificates. GRC Solutions assessors are not only IASME trained and licensed but also bring a wealth of experience and expertise.
How long does it take to receive our certificate after submitting the SAQ?
For Cyber Essentials, certification can be achieved within a day or two, depending on your current security setup and speed of action. We are usually able to offer same-day assessment.
Cyber Essentials Plus clients will need additional time for the internal and external tests to be completed.
