The ever-evolving Cybersecurity landscape demands that organisations constantly adapt to new challenges. To stay relevant and effective, the UK government-backed Cyber Essentials and Cyber Essentials Plus schemes are introducing key updates in April 2025 under Version 3.2. These updates, aimed at refining terminology and enhancing security practices, are designed to address the realities of modern work environments and cyber threats.
This comprehensive guide explores the changes to Cyber Essentials and Cyber Essentials Plus and what they mean for organisations pursuing certification.
What’s New in Cyber Essentials (Version 3.2)?
The 2025 updates to Cyber Essentials include refinements in terminology, authentication methods, and vulnerability management practices, ensuring the scheme remains robust and practical.
1. Updated Terminology for Modern Work Environments
The following terminology adjustments reflect the current realities of digital work:
- “Plugins” Updated to “Extensions”: This change ensures the language aligns with contemporary software terminology, making the guidelines clearer.
- “Home Working” Expanded to “Home and Remote Working”: Recognising that remote work now encompasses more than just home offices, this update addresses risks associated with untrusted environments, such as public spaces, coworking hubs, and hotels.
2. Passwordless Authentication Takes the Spotlight
Traditional passwords are increasingly viewed as a weak link in cybersecurity, and the 2025 updates formally emphasise Passwordless Authentication methods. Cyber Essentials now defines this as “an authentication method that uses a factor other than user knowledge to establish identity.”
Common Passwordless Methods include:
- Biometric Authentication: Using unique biological markers like fingerprints or facial recognition.
- Security Keys: Physical USB tokens or smart cards to provide an added layer of security.
- One-Time Codes: Temporary codes sent via SMS, email, or authenticator apps.
- Push Notifications: Smartphone prompts allowing users to approve or deny login attempts in real-time.
3. Broadening the Definition of Vulnerability Fixes
Previously, Cyber Essentials referred to “patches and updates” as the primary method for addressing software vulnerabilities. In Version 3.2, this terminology is expanded to “vulnerability fixes,” acknowledging the variety of ways organisations can resolve security issues.
Examples include:
- Registry Tweaks: Adjustments to system configurations.
- Configuration Changes: Adjustments to settings to eliminate vulnerabilities.
- Vendor-Provided Scripts: Specialised solutions provided by software vendors.
Key Updates in Cyber Essentials Plus
Cyber Essentials Plus, the more rigorous certification level, also includes several updates in 2025 to ensure consistent assessments and transparency:
1. Simplified Document Naming
The word “illustrative” will be removed from the title of the Test Specification document, simplifying its name while retaining its purpose.
2. Alignment of Assessment Scope
The assessment scope for Cyber Essentials Plus must now directly align with the scope defined during the self-assessment stage. This ensures consistency and reduces potential gaps in security.
3. Verification for Partial Assessments
For organizations conducting a partial assessment, assessors must verify that subsets of the organization are correctly segregated from the rest of the IT infrastructure.
4. Accurate Device Sampling
Assessors are required to confirm that the number of sampled devices aligns with IASME guidelines, ensuring thorough testing across all critical systems.
5. Evidence Retention
Certification Bodies must retain verification evidence for the duration of the certificate’s validity. This enhances accountability and provides a clear audit trail.
How These Changes Benefit Organisations
The refinements introduced in Version 3.2 make the Cyber Essentials certification process more comprehensive and relevant to modern cybersecurity challenges.
- Improved Clarity: Updated terminology ensures clearer guidance for organisations and assessors alike.
- Enhanced Flexibility: The shift to “vulnerability fixes” broadens the scope of compliance, allowing organisations to implement effective, vendor-approved solutions.
- Future-Ready Authentication: Emphasising passwordless technology positions organisations ahead of evolving authentication trends.
- Consistency in Assessments: Cyber Essentials Plus updates ensure thorough and standardised evaluations across all certification bodies.
Why These Updates Are Essential for Businesses
With the growing prevalence of remote work, sophisticated cyber threats, and complex IT infrastructures, these updates to Cyber Essentials address critical challenges facing organisations in 2025.
By emphasising modern practices like passwordless authentication and proactive vulnerability management, the scheme ensures organisations are better prepared to prevent breaches and safeguard sensitive data.
For businesses navigating compliance with regulations such as GDPR, adhering to Cyber Essentials standards remains a cost-effective way to bolster cybersecurity and demonstrate trustworthiness to stakeholders.
Get Certified with Creative Networks
Navigating the latest changes to Cyber Essentials and Cyber Essentials Plus can seem daunting.
At Creative Networks, we specialise in simplifying the certification process for organizations of all sizes.
How Creative Networks Can Help
- Expert Guidance: Our team provides end-to-end support, from understanding the new requirements to achieving certification.
- Tailored Solutions: We’ll help you implement passwordless technology, vulnerability fixes, and other security measures aligned with the latest standards.
- Streamlined Process: With our expertise, you can achieve compliance efficiently and confidently.
Ready to Strengthen Your Cybersecurity?
Navigating the changes to Cyber Essentials and Cyber Essentials Plus doesn’t have to be challenging. At Creative Networks, we’re here to simplify the process and ensure your organisation meets the latest standards with ease.
Whether it’s implementing passwordless authentication, addressing vulnerabilities, or preparing for assessments, our experts will guide you every step of the way. Let us help you safeguard your business against evolving cyber threats and build trust with your stakeholders.
Contact Creative Networks today and take the first step toward a secure, compliant future!
