Upcoming Changes to Cyber Essentials & Cyber Essentials Plus – April 2025 Update

Why is the Cyber Essentials Scheme Changing ? Cyber threats are constantly evolving, and in response, the UK government-approved Cyber Essentials scheme undergoes regular updates to ensure its controls remain effective. The scheme, which helps organisations defend against the most common cyber attacks, is built around five key technical controls. Achieving Cyber Essentials certification shows customers, investors, and partners that your organisation has implemented essential cybersecurity measures to protect sensitive data. To maintain relevance in the face of rapid technological change, a panel of security professionals periodically reviews and revises the scheme. The last significant update occurred in January 2022, following a surge in remote working and digital transformation post-COVID. What’s Changing in the April 2025 Cyber Essentials Update? The upcoming April 2025 update (v3.2) brings modest but important refinements to the Cyber Essentials Requirements for IT Infrastructure. While these are not major overhauls, they help align the scheme with emerging technologies and workplace practices. Updated Terminology

• ‘Plugins’ updated to ‘Extensions’ The terminology under software has been clarified—‘plugins’ will now be referred to as ‘extensions’ for accuracy.
• ‘Home working’ broadened to ‘Home and Remote Working’ The term now reflects the reality that many users connect from various untrusted networks—such as cafés, trains, or hotels—not just their homes.

Embracing Passwordless Authentication One of the key additions to the April 2025 update is the formal inclusion of passwordless authentication. Traditional passwords—though simple and widely used—are prone to misuse, such as reuse, theft, and brute-force attacks. To improve security, Cyber Essentials previously required multi-factor authentication (MFA) for internet-facing services. Now, true passwordless authentication is acknowledged as a secure alternative. This approach uses other forms of identity verification that don’t rely on memorised passwords, including:

• Biometric verification (e.g., facial recognition, fingerprint)
• Hardware tokens (e.g., USB security keys, smart cards)
• One-time codes (via apps, SMS, or email)
• Push notifications (prompting login approval on mobile devices)
• Cryptographic certificates (operating in the background)

Cyber Essentials defines passwordless authentication as any method “that uses a factor other than user knowledge to establish identity.” It’s essentially an evolution of MFA, providing better protection with less user friction. New Definition: ‘Vulnerability Fixes’ Under the Security Update Management section, the term ‘patches and updates’ will be replaced with ‘vulnerability fixes’. This change broadens the scope to reflect the variety of ways software vendors now address vulnerabilities. ‘Vulnerability fixes’ now include:

• Security patches and updates
• Registry changes
• Configuration adjustments
• Vendor-supplied scripts
• Any approved method to remediate known vulnerabilities

This update reinforces the principle that all known vulnerabilities should be resolved promptly—regardless of how the fix is delivered. Cyber Essentials Plus: Updates to the Test Specification Changes are also coming to the Cyber Essentials Plus Test Specification, which is primarily intended for Assessors but is publicly available for transparency. Key updates include:

• Removal of the word ‘illustrative’ from the document title
• Requirement for the assessment scope to match the scope declared in the Cyber Essentials self-assessment
• If the assessment doesn’t cover the whole organisation, Assessors must verify proper segregation of sub-sets
• Confirmation that the sample size of devices has been calculated correctly as per IASME methodology
• Certification Bodies must retain verification evidence for the duration of the certificate’s validity

Final Thoughts The April 2025 Cyber Essentials update continues the scheme’s evolution to stay in sync with today’s fast-changing IT landscape. Whether it’s refining terminology, accommodating modern work environments, or formally recognising passwordless security, these updates ensure the framework remains robust and relevant. If you’re preparing for certification or renewal, it’s crucial to understand and implement these changes to maintain compliance and strengthen your cybersecurity posture.

🚀 Ready to Achieve Cyber Essentials and Stay Compliant? Book Your Cyber Essentials Assessment Today.

Whether you’re a first-time applicant or renewing your certification, Armoryze is here to support you every step of the way. Our cybersecurity experts help organisations like yours understand the latest Cyber Essentials requirements and prepare for a smooth assessment. 

🔐 Why Choose Armoryze?

• Trusted certification partner
• Tailored expert guidance from cyber security professionals
• Proven track record across education, healthcare, and enterprise sectors

📅 Book your Cyber Essentials or Cyber Essentials Plus assessment today and secure your organisation’s digital future.

👉 Schedule Your Free Consultation