Cyber Essentials Gets An Update For 2025: What UK Businesses Need to Know

With cyber threats on the rise, from ransomware attacks to state-backed hacking, organisations across the UK are under growing pressure to strengthen their information security. While many large enterprises are aligning to global standards like ISO 27001, the UK Government-backed Cyber Essentials scheme offers a foundational benchmark for demonstrating basic cyber hygiene for smaller and mid-sized businesses. 

But changes are coming. 

Starting 28 April 2025, the Cyber Essentials and Cyber Essentials Plus certification processes will undergo strategic updates. These changes reflect the evolving nature of cyber threats and the increasing complexity of the environments in which businesses operate. In this blog, we unpack the updates, explore why they matter, and outline what organisations must do next. 

Why Cyber Essentials Still Matters 

Launched in 2014, Cyber Essentials was designed to help organisations guard against the most common cyber threats and demonstrate their commitment to cybersecurity. For many, it has served as the starting point in their security journey, a baseline requirement for doing business with government bodies and a growing number of private sector organisations. 

With its clear focus on fundamental protections, Cyber Essentials sets a baseline for security and encourages organisations to take a proactive stance. At its core, it’s about getting the fundamentals right – things like firewalls, secure settings, controlling who has access, protecting against malware, and keeping systems up to date. 

But even the basics evolve over time. And so must the scheme. 

What’s Changing in April 2025? 

The 2025 updates are designed to reflect the reality of the current business threat landscape and ensure Cyber Essentials remains a meaningful standard. Here’s what’s new:

1. Passwordless Authentication Becomes the Standard

A major shift is the move toward passwordless authentication. That means things like: 

• Biometrics (e.g., fingerprint or facial recognition) 

• Hardware security keys 

• One-time passcodes or push notifications 

Are now recognised as valid, secure login methods. 

Why it matters: Traditional passwords are still one of the weakest links in cybersecurity. Password reuse, phishing attacks, and brute-force attempts remain common attack vectors. By shifting the focus to passwordless options, the new guidance helps organisations adopt stronger, more reliable ways to manage access and keep systems secure. 

2. A Broader View of Remote Work

The term’ home working’ is being replaced with ‘home and remote working’, a subtle but significant change. 

Why it matters: Employees are no longer confined to their homes. They’re working from cafes, airports, trains, and co-working spaces — all of which are considered untrusted environments. The scheme now reflects this reality, and businesses will need to demonstrate that data accessed remotely is adequately protected, regardless of the location. 

3. New Terminology for Vulnerability Fixes

The previous focus on ‘patches and updates’ is expanding to cover all types of ‘vulnerability fixes.’ This means: 

• Registry changes 

• Configuration updates 

• Scripts or vendor-approved mitigations 

Why it matters: Not every security issue has a neat patch. Sometimes, the fix looks different, and this update reflects that reality. It gives organisations more flexibility in how they respond to risks while making it clear that action is expected. 

4. Greater Alignment with International Standards

While not explicitly stated, the updated scheme aligns more closely with global cybersecurity frameworks such as the National Institute of Standards (NIST) and ISO 27001. 

Why it matters: For UK organisations working internationally, alignment with these standards helps build credibility and opens doors to new markets. For those already on a journey towards ISO 27001 certification, Cyber Essentials can serve as a stepping stone, and now, that path is more clearly defined. 

5. Changes to the Cyber Essentials Plus Test Specification

Some necessary adjustments are being made to the way Cyber Essentials Plus assessments are carried out: 

• Assessors must verify that the scope matches the initial self-assessment. 

• The boundaries must be clearly defined and technically segregated when the scope doesn’t include the entire organisation. 

• Device sampling must be representative and evidenced. 

Why it matters: These updates add rigour and consistency to the Plus assessment. They ensure organisations can’t ‘cherry-pick’ systems for compliance and must instead show they’ve implemented good practices across the board. 

What Does This Mean for Your Business? 

These changes aren’t designed to catch organisations out. They’re there to ensure the scheme keeps pace with the real-world risks facing today’s businesses. However, they will require action, especially for those approaching their renewal date in late 2025. 

If you’re already Cyber Essentials certified, now is the time to review your current posture: 

• Are you exploring passwordless technologies? 

• Do your remote access policies reflect today’s hybrid work reality? 

• Is your vulnerability management approach flexible and responsive? 

If you’re working toward your first certification, it’s wise to get ahead of the changes now. Don’t wait until April 2025; implement these practices today. 

Cyber Essentials and Beyond 

It’s worth remembering that Cyber Essentials is not the destination; it’s the starting point. As cyber threats become more sophisticated and regulatory pressures increase, many organisations are choosing to build on their Cyber Essentials foundations with more advanced standards. 

ISO/IEC 27001 is a natural next step. It’s a globally recognised information security management standard that provides a comprehensive framework for managing information risks. Where Cyber Essentials outlines what needs to be in place, ISO 27001 shows you how to embed these practices into your business’s day-to-day operations. 

Together, these standards can help create a more resilient, compliant, and genuinely secure organisation. 

Need Help Navigating the Changes? 

Whether you’re tackling the scheme for the first time or adjusting to the 2025 updates, getting to grips with the new requirements can be a challenge. 

That’s where we come in. At ISMS.online, we’ve worked with thousands of organisations to help them stay on top of Cyber Essentials, Cyber Essentials Plus, and ISO 27001. Our platform is designed to take the complexity out of compliance, giving you a clear view of what’s needed and keeping you on track from start to finish. So, you can approach your compliance journey with confidence. 

We also practice what we preach, having used our own platform to achieve Cyber Essential re-certification successfully, in November 2024.  

And we’re already building in support for the April 2025 changes, so you’ll be ready, not rushed. 

Final Thoughts 

Cyber Essentials remains a critical part of the UK’s cybersecurity strategy. It sends customers, suppliers, and partners a clear message: you take security seriously. 

The upcoming changes aim to make the scheme more relevant and resilient, reflecting the realities of modern working. But this isn’t just a box-ticking exercise. It’s a chance to build better security habits across your organisation. 

If you haven’t started preparing, now’s a good time to get moving. Review your security posture, engage your leadership, and prepare for the future of Cyber Essentials. Good information security isn’t just a checkbox; it’s a business advantage.