How the Cyber Essentials Changes Affect Your Business
The next annual update to Cyber Essentials will go live in April 2025. Read on as we discuss the minor changes to the Cyber Essentials Requirements.
The next annual update to Cyber Essentials will go live in April 2025. Read on as we discuss the minor changes to the Cyber Essentials Requirements.
The IASME (Information Assurance for Small and Medium Enterprises) recently released updated Cyber Essentials requirements for the IT infrastructure document (version 3.2), the Question Set (Willow), and the Cyber Essentials Plus Test Specification document (version 3.2) in advance to allow for preparation for any applications submitted on or after April 28th, 2025.
Starting April 28, 2025, the updated Cyber Essentials requirements for IT infrastructure (v3.2), the Willow Question Set, and the Cyber Essentials Plus Test Specification (v3.2) will be implemented. From this date forward, all new applications for Cyber Essentials and Cyber Essentials Plus will be evaluated using the Willow Question Set, replacing the current Montpellier Question Set.
Home Workers
The Cyber Essentials requirements for home working have been updated to include remote working. This change reflects the modern need to work within untrusted networks, such as cafes and hotels. The Cyber Essentials standard covers all devices used for your organisation’s business activities, including both company-provided devices and personal devices (BYOD) used for work purposes. Additionally, if your organisation supplies a router to a home or remote employee, that router is also included in the scope.
Network Equipment
Applicants are now advised to list only relevant network equipment, avoiding unnecessary items like hubs and switches.
According to the new update organisations must provide a list of network equipment in scope for this assessment. Include the make and model of each device. List all equipment that controls data flow to and from the internet, such as routers and firewalls.
Passwordless Authentication
While the update in 2022 mandated the use of multi-factor authentication for all accounts, the new version will accept logging in without a password if it follows approved methods like biometric authentication, security keys or tokens, one-time codes, QR codes and push notifications. More guidance is available on the NCSC’s website.
The following questions can now be answered in terms of passwordless authentication:
Security Updates
In the 2025 Cyber Essentials update the software definition includes the term ‘extensions’ for improved accuracy in place of the term ‘plugins’.
You must ensure that all installed software is correctly licensed, accommodating modern licensing agreements where software is supported only if licensed appropriately. Additionally, software updates must now include configuration changes and/or registry fixes, if instructed by the vendor, to mitigate high-risk vulnerabilities.
Vulnerability Fix
In the context of Cyber Essentials, a vulnerability fix is a crucial part of security update management. It involves identifying and correcting potential weaknesses in devices and software systems. This proactive approach ensures that known security issues, for which fixes are available, are promptly addressed to protect against potential cyber threats.
In the Cyber Essentials requirements document, the description that used to be ‘patches and updates’ will be changed to ‘vulnerability fixes’ as an umbrella term for all the different methods. Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.
This document is intended for Assessors who conduct Cyber Essentials Plus assessments on behalf of Certification Bodies. It is published for informational purposes so that customers can understand the tests that will be carried out.
Changes include:
To sum up, the April 2025 update to Cyber Essentials and Cyber Essentials Plus, managed by IASME, introduces significant changes to better align with the evolving cybersecurity landscape. This update includes improvements to the IT infrastructure requirements, the Willow question set, and the Cyber Essentials Plus test specification.
So, all the changes to Cyber Essentials will be effective April 28 2025, and all the applications will be assessed against these updated standards, helping you to strengthen your cybersecurity defences.
Syn-Star can help you through the process of achieving your Cyber Essentials or Cyber Essentials Plus certification with expert, personalised support.
Watch our FREE webinar to start your cyber essentials journey.
Agnes Molnar
Agnes is Syn-Star’s expert content writer, she has Master’s degree in English Literature that provides a strong foundation in writing and critical thinking of everything she does.
Qualifications: Masters in English Literature
In-house training: HubSpot SEO, WordPress Training.
Learn more about Cyber Essentials
Let’s Talk!
If you have any additional comments or questions about this article, you can share them in this section.
Agnes Molnar
Agnes is Syn-Star’s expert content writer, she has Master’s degree in English Literature that provides a strong foundation in writing and critical thinking of everything she does.
Qualifications: Masters in English Literature
In-house training: HubSpot SEO, WordPress Training.
Contact us now
Areas we cover
Company
Team Productivity:
You and your team are able to see where they are using their time and how productive they are actually being. Also they are able to clock in and out, so really good for flexi-working.
Team Monitoring:
If you would like to know what your team is doing and how productive they are being, we are able to monitor them and create screenshots of what they are working on. This can be run in normal or stealth mode.
Book a FREE fact finding session to discuss the different options.
We proactively seek opportunities to support good causes for our community.
From sponsoring local community football teams, to engaging with charity fundraiser days, we believe it’s important to continually strive to do good for the better of others.
We have members who volunteer with youth organisations, are engaged with the Round Table, run marathons and volunteer at events where we may be needed. Every charity receives a discounted IT and Telecoms service too.
Protecting your digital data is crucial for every business and this can start with the industry-leading security we offer. The Syn-Star specialists can help with identifying any vulnerabilities within your IT systems and act accordingly to ensure cyber-attacks and data breaches are mitigated.
Your business will never fall behind with its technology when you work with Syn-Star.
We understand IT and Telecoms for your business is an investment, but it’s important to use the best resources available to enable the growth of your business. Our IT Consultancy and Virtual IT Director Services are available to support you with how you use your business technology for years to come.
Syn-Star can conduct quick and easy phishing exercises to identify people within your team who need to improve on their knowledge around fraudulent emails and how they can be alerted to these threats.
At Syn-Star, our experts can proactively work to understand exactly what software you need to support with the business operations. Whether you need a listening ear on what software to choose, or would like to seek some specialist knowledge, we’re here to help where we can.
At Syn-Star, we keep Telecoms simple. There’s so much available to help UK companies with their communications. VoIP systems, fixed landline, cloud phone systems, SIP trunking and more. Contact us for further details.
Desk phones, cordless phones or conference phones, Syn-Star can provide you with whatever you need.
From conference calling facilities to the headsets which work best for your team, we’re able to provide all the equipment you need and complete any telecoms job from start to finish.
There is no need to be in the office to make and receive phone calls from your company’s number. Our market-leading Telecoms platform gives you the flexibility of desk phones, soft phones and mobile apps as standard.
Whether your team works remotely, or perhaps staff are on a business trip anywhere in the world, calls can still be made, and people are reachable via phone wherever they go.
With a range of products, our team can support you by installing exactly what you need for internet connectivity. We work with the very best products to provide speedy bandwidths which play a part in the increased productivity of your team.
