The UK National Cyber Security Centre (NCSC) has introduced several updates to the Cyber Essentials Scheme for 2025. These changes are designed to ensure that the scheme remains relevant and effective in the ever-evolving landscape of cyber threats. The updates affect both the Cyber Essentials and Cyber Essentials Plus certifications and include modifications to the requirements for IT infrastructure, the introduction of a new question set, and changes to the assessment and moderation processes.
Cyber Essentials Requirements for IT Infrastructure Version 3.2
The 2025 update introduces version 3.2 of the Cyber Essentials Requirements for IT Infrastructure. Key changes include:
- Terminology Updates: The term ‘plugins’ has been changed to ‘extensions’, and ‘home working’ has been updated to ‘home and remote working’. The definition of ‘software’ now includes operating systems, commercial off-the-shelf applications, extensions, interpreters, scripts, libraries, network software, and firewall and router firmware.
- Vulnerability Fixes: A new definition for ‘vulnerability fixes’ has been added. These include patches, updates, registry fixes, configuration changes, scripts, or any other mechanism approved by the vendor to fix a known vulnerability.
- Authentication: Passwordless authentication methods, including biometric data, security keys or tokens, one-time codes, and push notifications, are now permitted.
Cyber Essentials Plus Test Specification Version 3.2
The Cyber Essentials Plus Test Specification has also been updated to version 3.2. Notable changes include:
- Document Name: The document formerly known as “Cyber Essentials Plus Illustrative Test Specification” has been renamed to “Cyber Essentials Plus Test Specification”.
- Verification of Scope: Assessors must verify that the scope of the testing aligns with the scope in the self-assessment certificate before testing begins.
- Verification of Segregation by Subset: Assessors must verify by technical means that any sub-sets have been segregated effectively when the Cyber Essentials self-assessment scope is not ‘Whole Organisation’.
- Verification of Sampling: Assessors must verify that the sample of tested devices, including end-user devices, servers, and Cloud services, is representative.
Willow Question Set
The new Willow Question Set replaces the Montpellier version and includes additional questions and further guidance on existing questions. The areas covered include:
- A1 (the organisation)
- A2 (scope of assessment)
- A4 (firewalls)
- A5 (secure configuration)
- A6 (security update management)
- A7 (user access control)
- A8 (malware protection)
Changes to Cyber Essentials Processes
The NCSC has also announced changes to the Pool Assessment and Moderations processes. These changes are aimed at streamlining and automating processes to better handle the anticipated growth in the number of customers, Certification Bodies, and Assessors. The changes will be implemented in two phases: Phase 1 in May 2025 and Phase 2 on 1st July 2025.
The updates are driven by evidence of the efficacy of the Cyber Essentials scheme, which has shown that organisations with Cyber Essentials certifications are significantly less likely to make a claim on Cyber Insurance and have seen a reduction in the number of cyber incidents. The UK Government aims to significantly grow the Cyber Essentials scheme to protect against increasing cyber security threats.
Impact on Organisations
The changes to the Cyber Essentials scheme are expected to have several impacts on organisations:
- Increased Compliance Requirements: Organisations will need to ensure they meet the updated requirements for IT infrastructure and adhere to the new question set.
- Enhanced Security Measures: The inclusion of passwordless authentication methods and the updated definition of software and vulnerability fixes will help organisations enhance their security measures.
- Streamlined Processes: The changes to the assessment and moderation processes are expected to streamline the certification process, making it easier for organisations to achieve and maintain Cyber Essentials certification.
Conclusion
The 2025 updates to the UK NCSC Cyber Essentials Scheme reflect the ongoing efforts to keep the scheme relevant and effective in the face of evolving cyber threats. By updating the requirements for IT infrastructure, introducing a new question set, and streamlining the assessment and moderation processes, the NCSC aims to enhance the security posture of organisations and protect against cyber threats. Organisations seeking Cyber Essentials certification will need to familiarise themselves with these changes and ensure they meet the updated requirements to maintain their certification. If you have any questions or need assistance with the Cyber Essentials certification process, please reach out to one of our Cyber Essentials experts for guidance and support.