Definitions:

"Home working" has been updated to "Home and Remote working" to cover users who do not work from a company office but also do not work from home. This change adds clarification for users who may be connecting from a shared office space, client site, beach bar in Portugal or anywhere else where they are accessing company systems.

"Plugins" has been updated to "Extensions" to reflect the modern shift in terminology for additional features or functionality which can be added to browsers or other software by users.

Passwordless Authentication:

To reflect the ongoing movement towards Passwordless authentication, the requirements around unlocking devices and logging into accounts has been updated to include additional flexibility and it is no longer a requirement to use passwords if other appropriate controls have been implemented. However, this does not replace passwords entirely and use of passwords and MFA in combination will still be acceptable, this change simply gives more options to users and administrators. Some of the acceptable alternatives include:

• Biometric authentication: Uses biological traits of the user such as fingerprints or facial features to confirm a user’s identity.
• Security keys or tokens: Physical hardware devices such as USB security keys or smart cards.
• One-time codes: Temporary codes sent via email, SMS, or a mobile app.
• Push notifications: A prompt on a smartphone to approve or deny a login attempt.

Vulnerability fixes:

To reduce ambiguity around patching and what constitutes a vulnerability which requires patching to be compliant with the scheme, changes required to meet the requirements for Cyber Essentials are now referred to as "Vulnerability fixes" which are defined as:

“Product vendors provide fixes for vulnerabilities identified in products that they still support, in the form of patches, security updates, registry fixes, scripts, configuration changes or any other mechanism prescribed by the vendor to fix a known vulnerability.”

Scoping:

In cases where the Cyber Essentials self-assessment scope is not “whole organisation” it will now need to be verified by the Assessor that any sub-sets have been segregated correctly. This adds an additional step to the scoping process for Cyber Essentials Plus assessments where the assessor will need to be confident any sub-sets which have been defined in the self-assessment are as described and appropriate controls are in place to meet the requirements of having these subsets out of scope. How this is done will likely vary based on the organisation being assessed but could be as simple as a screenshare of your MDM solution or a demonstration of how the network is configured.

Data Retention:

All evidence gathered during a Cyber Essentials Plus assessment will now need to be kept by the certification body for the lifetime of the certification (12 months). This has been considered best practice in auditing for a long time, but the addition of this requirement enshrines it as part of the scheme which all assessors will now need to adhere to.

Get In Touch:

If you're interested in achieving Cyber Essentials or Cyber Essentials Plus on the current version, or have any questions about these changes please get in touch and one of our expert assessors will be able to provide you with professional, one-on-one assistance.
Fill out our contact form here, give us a call on 01543 765 700 or email info@westmidscyber.com.

Useful Links:

IASME's guidance on the changes:
https://iasme.co.uk/articles/what-will-the-changes-be-to-cyber-essentials-and-cyber-essentials-plus-in-the-april-2025-update/

Both versions of the question set, test specification and requirements can bee found here:
h ttps://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/