Cyber Essentials April 2025 Update: What you Need to Know

 

Today, cyber security is a cornerstone of organisational success and resilience. As organisations increasingly rely on digital infrastructures, sensitive data, and interconnected networks, protecting these assets has become more critical than ever. 

The UK government-supported Cyber Essentials program has long been a pivotal framework for helping businesses safeguard against cyber threats. Regularly updated to ensure it remains effective, Cyber Essentials’ latest changes will come into force April 28, 2025, and all the applications will be assessed against the updated standards. 

What is Cyber Essentials?

Launched in 2014, Cyber Essentials is a government-backed initiative designed to help organisations protect themselves from common cyber threats. It provides a set of baseline technical controls aimed at preventing the most common forms of cyber-attacks, such as phishing, malware, and ransomware. Certification offers businesses a practical way to demonstrate their commitment to cyber security, giving clients, partners, and employees added confidence.

Key updates to Cyber Essentials in 2025

Regular updates to Cyber Essentials reflect the government’s ongoing commitment to fortifying the nation’s cyber resilience. By regularly updating the framework, Cyber Essentials ensures that organisations stay ahead of emerging threats and adopt best practices to protect their systems and data. These updates address changes in technology, newly identified risks, and lessons learned from recent cyber security incidents. Furthermore, regular revisions demonstrate a proactive approach to security, fostering trust and confidence among businesses, their customers, and stakeholders.

The changes introduced in the April 2025 update to the Cyber Essentials requirements for IT Infrastructure document (V3.2) are relatively minor, focusing primarily on adjustments to the definitions.

New in the Cyber Essentials Requirements for IT Infrastructure Document:

1. Passwordless authentication: following the mandated use of multi-factor authentication in 2022, new technology for account access will be introduced to allow secure identity verification without traditional passwords.  For example, users will be able to make use of biometrics like face or fingerprint scan, one-time pass codes, and QR codes. Push notifications sent directly to users’ phones can also be utilised to approve or deny identity.
2. Software definition updated: the software definition now includes the term ‘extensions’ instead of ‘plugins’, offering improved accuracy. For example, the new phrasing makes it easier to describe various software types, such as operating systems and firewall firmware.
3. Vulnerability fixes added: the term ‘vulnerability fixes’ will also replace the old phrasing ‘patches and updates’. This is to offer a more comprehensive understanding of the process of vulnerability assessment and includes identifying and rectifying software weaknesses with methods like configuration changes, security updates, and scripts.
4. ‘Home working’ phrase extended to ‘home and remote working’: terminology will also be updated to encompass all forms of remote work, including work conducted outside of the home or office, in various public spaces like hotels, trains, and cafes.

Updated in the Cyber Essentials Plus Test Specification: 

1. New verification pointers introduced: as well as removing the word ‘illustrative’ from the document name, new verification pointers have been added to ensure the Cyber Essentials Plus assessment scope aligns with the self-assessment certificate.
2. Verification of segregation by sub-set added: in the updated Cyber Essentials Plus document, guidelines have been added to confirm that any organisational subsets have been properly segregated using technical methods prior to testing.
3. Verification of sampling added: finally, the last update in the Cyber Essentials Plus document is the verification of sampling addition. This emphasises the need for a representative sample of devices during testing and provides specific guidance on how to determine an appropriate sample size.

Why Cyber Essentials matters now more than ever

 

Rising cyber threats

Cyber-crime continues to grow in scale and sophistication, with attacks becoming more targeted and disruptive. From ransomware attacks on critical infrastructure to data breaches affecting millions, the need for robust cyber security measures has never been greater. Cyber Essentials provides a foundational defence that significantly reduces an organisation’s vulnerability.

Compliance and legal requirements

Adhering to cyber security best practices is no longer just good business sense; it is a legal and regulatory necessity. The General Data Protection Regulation (GDPR) and other data protection laws, such as the Data Protection Act, require organisations to implement appropriate security measures. Cyber Essentials certification helps demonstrate compliance, reducing the risk of regulatory penalties.

Boosting business reputation and trust

In a competitive market, trust is a key differentiator. Clients and partners increasingly seek assurance that their data is handled securely. Achieving Cyber Essentials certification provides a clear signal that your organisation takes cyber security seriously, enhancing your reputation and building trust.

Facilitating public sector contracts

Many UK government contracts require Cyber Essentials certification as a prerequisite. By obtaining certification, businesses can access lucrative opportunities in the public sector, giving them a competitive edge.

Steps to achieve Cyber Essentials Certification in 2025: 

Getting certified under the updated Cyber Essentials program involves several steps:

1. Assess Your Current Cyber security measures: begin by reviewing your organisation’s existing cyber security practices against the Cyber Essentials requirements. Identify gaps and areas for improvement, particularly in areas like authentication, cloud security, and endpoint protection.
2. Implement necessary changes: address any identified weaknesses by implementing the required controls. This may involve updating software, configuring firewalls, deploying security patches, and formalising your incident response plan.
3. Complete the self-assessment questionnaire: the certification process starts with a self-assessment questionnaire (SAQ), which evaluates your compliance with the Cyber Essentials controls. The questionnaire must be submitted to an accredited certification body for review.
4. Undergo a technical audit (for Cyber Essentials Plus): for organisations seeking the more advanced Cyber Essentials Plus certification, a technical audit is required. This involves a hands-on assessment of your IT systems by a qualified assessor to verify that the controls are implemented effectively
5. Achieve certification: once your application is approved, you will receive your Cyber Essentials certificate, which is valid for one year. To maintain certification, you’ll need to complete the process annually and keep up with any new updates to the framework.

 

Final word

The 2025 update to Cyber Essentials marks another step forward in improving the cyber security posture of UK businesses. By emphasising areas like passwordless authentication and remote working, the program stays relevant and valid for the modern workplace.

Achieving Cyber Essentials certification not only enhances your security but also demonstrates your commitment to protecting client and employee data, ensuring business continuity, and maintaining trust.

To start your journey towards Cyber Essentials certification and secure your place in a safer digital future, please get in touch with our friendly cyber team using the button on this page.