Table of Contents
Do not index
Do not index
For many businesses around the UK, achieving Cyber Essentials is their first real step into the world of cyber security and compliance. The standard not only helps business protect themselves against some of the most common cyber threats, but also demonstrates their commitment towards safe security practices. However, as is the case with standards and frameworks, there are upcoming changes due to take effect in April 2025. These revisions may impact how your business complies with Cyber Essentials, so it's vital to keep up to date with the latest changes in the framework. Below, we outline these updates and explain how OneClickComply can help make adapting to them as easy as pressing a button.
What is Cyber Essentials
Before we cover the upcoming changes, it’s important to understand what Cyber Essentials is, and the requirements businesses need to follow in order to comply with the standard.
Cyber Essentials is a UK government-backed certification that is designed to help businesses protect themselves from around 80% of common cyber threats by implementing critical security practices. Managed by IASME (Information Assurance for Small and Medium Enterprises), the scheme provides a clear pathway for businesses to improve their cybersecurity posture. IASME also maintains a database of certified businesses, allowing organizations to validate the certifications of others.
The standard centres around five key areas where businesses must implement controls:
- Firewalls
Protecting internet-connected devices from unauthorised access by managing firewall configurations.
- Secure Configuration
Ensuring devices and software are configured to reduce vulnerabilities.
- Access Control
Restricting access to systems and data to only authorized personnel.
- Malware Protection
Protecting devices against malicious software through anti-malware solutions and appropriate user behaviour.
- Patch Management
Keeping software and devices up to date to protect against known vulnerabilities
Aside from having multiple areas of impact, the standard is also available in two separate variants:
Cyber Essentials (CE)
This version of the certification requires businesses to complete a questionnaire outlining how they have met the scheme’s security controls. The answers are then marked by an independent assessor. Attaining this version of the standard demonstrates an understanding in, and implementation of, basic cyber security standards and hygiene.
Cyber Essentials Plus (CE+)
This more advanced certification still requires a verified self-assessment, but also includes an independent technical audit to verify that the specific controls outlined by the standard are in place. This version of Cyber Essentials demonstrates a high level of trust and commitment to cyber security than the less complex variant.
So how is the standard changing?
As of April 2025, the Cyber Essentials standard is evolving to reflect recent advancements in technology and cyber security, as well as changes in the daily operations of businesses. While the changes may appear small on the outside, any one of these updates can be the difference between compliance and losing your certification.
Let’s go through each of the upcoming changes:
- Passwordless
New guidance has been released to support the rise in passwordless authentication. Common examples include biometrics, one-time codes, and security keys (or other physical hardware). Passwordless technology is now recognised and included within the scope of the standard.
- Vulnerability Fixes
A new definition of patch management has been released. Instead of ‘patches and updates’, the term ‘vulnerability fixes’ now exists as an umbrella term for everything related to securing and updating software, including patches, updates, registry fixes, configuration changes, scripts, or any other method (approved by a vendor) that is used to fix a known vulnerability.
- Home Working
All references to ‘home working’ has now been changed to ‘home and remote working.’ This is an important change from the previous definition of ‘remote’, as the term now emphasises the fact that remote working may now occur on untrusted networks such as cafes, hotels, trains, and other public space. This change is in response to the post-Covid movement towards both hybrid and remote working, encompassing the associated risks of working from unsecured networks.
- Plugins
The term ‘plugins’ how been changes to ‘extensions’ for improved accuracy.
There are also upcoming changes to the Cyber Essentials Plus standard, however these only impact the assessors of the standard and so will not be covered here.
As mentioned, though these changes may be small, they reflect the ever-changing nature of cyber security and compliance. Failing to account for these changes may impact your certification and leave your business open to cyber threats.
How OneClickComply helps manage changes to standards
OneClickComply simplifies the process of managing changes to cyber security standards and frameworks, ensuring businesses stay ahead of compliance updates with minimal effort. We are notified of all upcoming changes, and the OneClickComply platform creates tasks to reflect these changes. All businesses need to do is click ‘Fix this for me’, and our automations will handle the rest. So, whether it’s complying with changes to authentication methods, or managing vulnerability fixes, OneClickComply makes compliance easy, stress-free, and efficient.
