Cyber Essentials 2025 Updates (tech version for the Willow question set)

Why does Cyber Essentials keep changing?

The government approved Cyber Essentials scheme includes five technical controls that help protect organisations from the most common cyber attacks. The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the government-approved, minimum level of cyber security in place and can be trusted with their data and business.

In order to stay effective in the ever-evolving threat landscape, a team of experts review and update the Cyber Essentials scheme at regular intervals. In January 2022, the scheme received a major overhaul made necessary by the digital transformation accelerated by the Covid pandemic.

Technology is advancing at an increasing pace and the Cyber Essentials requirements must continue to adapt and change to stay relevant and valid.

What do the changes to Cyber Essentials in April 2025 look like?

The April 2025 changes to the Cyber Essentials Requirements for IT Infrastructure document V3.2 are fairly minor and apply mostly to the definitions.

Under software, the term ‘plugins’ has been changed to ‘extensions’ for improved accuracy.

References to ‘home working’ has been changed to ‘home and remote working’. The inclusion of ‘remote’ working acknowledges that working away from the company network may not be limited to home working and often includes working within untrusted networks such as cafes, hotels, trains and other shared spaces.

Passwordless

Authentication methods that do not require a password at all are growing more commonplace and Cyber Essentials has needed to address this technology. Passwords have until recently been the default method of authentication for a huge range of accounts and services both at home and at work. Despite being accessible, cheap and portable, passwords are often reused, forgotten, guessed, brute-forced and stolen. The vulnerability of passwords was one of the reasons the Cyber Essentials requirements changed in 2022 to mandate the additional use of multi-factor authentication for all accounts and services available over the internet.

True passwordless authentication eliminates the need for passwords altogether, providing alternative forms of authentication to enable secure user access. This technology will always use more than one factor of authentication, and although there is no password, the other two or more factors can involve digital certificates operating in the background, cryptographic methods, or additional biometric checks combined with codes from authentication apps.

Passwordless technology is now included in Cyber Essentials and is defined in the same way as multi-factor authentication, “passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“.

There are numerous methods of verifying identity without using traditional passwords. Here are some common examples; sometimes these are used in combination:

• Biometric authentication: Uses biological traits of the user such as fingerprints or facial features to confirm their identity

• Security keys or tokens: Physical hardware devices such as USB security keys or smart cards

• One-time codes: Temporary codes are sent via email, SMS, or a mobile app

• Push notifications: A prompt on a smartphone to approve or deny a login attempt

Read the full NCSC guidance about trusted authentication methods

Vulnerability fixes 

There is also a requirement change associated with patching and updating software under the control, security update management section.  It’s a recognised cyber security principle that if you have a vulnerability on a software system, it needs to be fixed before cyber criminals can exploit it. The vendors or the manufacturers of the software and the operating systems repair the vulnerability by releasing patches and updates, but they’re also doing it in other ways. These include registry fixes, configuration changes, or running scripts provided by the vendor.

In the Cyber Essentials requirements document, the description that used to be ‘patches and updates’. will be changed to ‘vulnerability fixes’ as an umbrella term for all the different methods.

Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.

The section within security update management has been updated to describe ‘fixes’.

Product vendors provide fixes for vulnerabilities identified in products that they still support, in the form of patches, security updates, registry fixes, scripts, configuration changes or any other mechanism prescribed by the vendor to fix a known vulnerability.

Document provided by IASME and is intended to detail the changes to the Cyber Essentials assessment in April 2025.