Cyber Essentials Changes 2025: What You Need to Know
Updates for the Cyber Essentials are coming in April 2025.
IASME, the body that issues the certification, is releasing a new question set called Willow that includes several minor updates to the scheme. While the changes won’t take effect for another five months, they want to give businesses as much time as possible to prepare for future applications.
In this article, we’ll explain what the changes are and what you need to do, if anything, to achieve your Cyber Essentials certification or renewal next year.
The changes will come into force in April 2025 and affect applications starting on or after 28th April 2025.
The good news is they are relatively minor in scope. Here is an overview of the changes:
. Updates to terminology
. Introduction of passwordless authentication
. New patching and update requirements
Read on to learn more about each of them.
IASME is making several terminology updates to eliminate ambiguity in questions and ensure businesses understand what is being asked of them.
Documentation will replace references of “plugins” with “extensions” to improve clarity.
“Home working” will change to “home and remote working” to reflect employees working in untrusted environments like cafes and coworking spaces.
Cyber Essentials requirements will recognise passwordless authentication as a secure access method, the same way it does multi-factor authentication already:
“Passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“.
Passwordless authentication covers several methods, including:
. Security keys and tokens (in the form of physical devices like USB keys)
. Biometric data (like your iPhone’s facial recognition technology)
. One-time passcodes (the kind sent via SMS or email)
. Push notifications (sent via apps on your phone)
Patching and update requirements are becoming broader and stricter. Previously, businesses had to patch updates with a CVSS score of 7 or above that were considered ‘high’ or ‘critical’.
After April, IASME will require businesses to eliminate vulnerabilities using any vendor-approved method, including registry fixes, configuration changes or scripts.
The definition within the security update management section of the assessment is being updated as a result. A new term, “vulnerability fixes”, replaces “patches and updates” to account for the multiple ways to address known software vulnerabilities.
IASME is also changing the Cyber Essentials Plus Test Specification document, which certification bodies like Method use to conduct assessments.
These changes won’t be relevant to companies applying for certification, but we’ve included them below for clarity:
. The term ‘illustrative’ is being removed from the document title
. The scope of your Cyber Essentials Plus assessment must match your self-assessment scope, and will be verified by your assessor
. If your self-assessment doesn’t cover the whole organisation, then assessors must ensure sub-sets are segregated properly
. Assessors must verify your device sample size is calculated correctly
. Certification Bodies must retain verification evidence for the lifetime of the certificate
Cyber Essentials is a government-backed scheme by IASME that protects your business from the most common cyber security threats.
The certification is only as effective as the controls it requires businesses to implement. As such, a team of cyber security experts regularly review the questions and marking scheme to ensure they continue to protect businesses in the face of ever-evolving threats.
As one of a handful of companies that meet the strict criteria to be an approved Cyber Essentials Certification body and a Cyber Advisor Scheme Assured Provider, Method is ideally placed to guide your business through the assessment process — regardless of the changes IASME makes.
Learn more about our Cyber Essentials packages or start your self-certification process today.