Cyber Essentials changes 2025: What you need to know

As a widely recognised, government-backed certification, Cyber Essentials regularly updates its framework to ensure its continued effectiveness in protecting organisations against common cyber threats.

The upcoming update issued by IASME, scheduled to take effect on April 28, 2025, introduces important changes designed to address changing workplace practices and emerging cyber security threats.

Table of contents

1. Overview of the update
2. What's new with Cyber Essentials in 2025?
3. Detailed changes to Cyber Essentials requirements
4. Key changes in Cyber Essentials Plus Test Specifications
5. Implications for organisations
6. Compliance & certification preparation
7. Global credibility
8. How can Texaport help?

Overview of the update

Effective 28th April 2025, these changes will require that the assessment follow the Willow Question set instead of the Montpelier question set, which is currently in use.

This update addresses modern remote working practices and the need for clear, comprehensive vulnerability management practices. Aiming to ensure that the Cyber Essentials Certification continues to provide a robust cyber security baseline to all proactive businesses throughout the UK.

What's new with Cyber Essentials in 2025?

• Introduction of passwordless authentication methods
• Updated software definitions (from 'plugins' to 'extensions')
• Broadened definition of vulnerability fixes
• Revised terminology from 'home working' to 'home and remote working'
• Changes to the Cyber Essentials Plus test specifications

Detailed changes to Cyber Essentials requirements

Passwordless authentication

In response to the common vulnerabilities associated with traditional passwords, the updated Cyber Essentials framework introduces passwordless authentication. This modern approach removes passwords entirely, utilising more secure and user-friendly verification methods:

• Biometric authentication (fingerprint and facial recognition)
• Physical security keys or tokens
• One-time codes via email, SMS, or authenticator apps
• QR codes for login validation
• Push notifications prompting approval or denial of login requests through MFA

These authentication methods significantly increase security by reducing vulnerabilities associated with passwords, such as phishing or brute-force attacks.

Vulnerability fixes

The update expands the previous 'patches and updates' terminology to a broader category of 'vulnerability fixes'. This change recognises various remediation methods beyond patches, such as:

• Registry fixes
• Configuration changes
• Vendor-approved scripts

Adopting this approach to vulnerability management enables organisations to address security gaps and mitigate potential threats proactively.

Home and remote working

With the recent increase in remote working, including hybrid and flexible, the terminology within the updated requirements will change from 'home working' to 'home and remote working'. This definition recognises that employees frequently operate from various locations, such as cafes, hotels, or public transportation.

Businesses must now implement and maintain robust security measures for devices and data accessed remotely, including secure virtual private networks (VPNs) and software firewalls when working away from the office.

Key changes in Cyber Essentials Plus test specifications

Verification enhancements

The new specification introduces critical verifications:

• Scope verification: Assessors must confirm alignment between the Cyber Essentials self-assessment certificate and the Plus assessment.
• Segregation verification: If the self-assessment covers subsets rather than the whole organisation, assessors must verify proper technical segregation.
• Sampling verification: Device sample sizes used for testing must be representative and calculated using approved IASME methods.

Implications for organisations

These updates will significantly affect daily IT operations in the following areas:

• Transitioning to passwordless authentication solutions
• Broadening vulnerability management beyond traditional patching, transitioning from reactive responses to proactive collaboration between IT teams and vendors
• Strengthening security protocols for remote working scenarios

While these updates will bring about operational changes, our expert guidance ensures that you can smoothly adopt and transition to passwordless authentication, improve vulnerability management, and reinforce remote working security.

Compliance & certification preparation

With the guidance of cyber security experts, to ensure compliance, organisations should:

• Review the updated Cyber Essentials documents thoroughly
• Conduct internal audits aligning with the new definitions and requirements
• Provide training and consultancy to internal IT teams and employees, allowing them to familiarise themselves with new authentication methods.

Global credibility

Aligning Cyber Essentials standards more closely with global cyber security frameworks such as NIST fortifies the certification's international credibility. Organisations certified under the updated scheme will be well-positioned to demonstrate their cyber security resilience to global partners, clients, and investors.

How can Texaport help?

The April 2025 Cyber Essentials update introduces significant improvements designed to bolster an organisation's cyber security.

Many organisations we work with value the improved IT processes and the peace of mind that certification brings. Certification lasts 12 months, and we provide ongoing IT support to ensure compliance and security are maintained throughout the certification period.

Discover how a Cyber Essentials Certification can safeguard your data, keep your business secure and bid for government contracts. Book a free consultation to learn more.