Keeping up with Cyber Security requirements isn’t easy. Between evolving threats, shifting frameworks, and the daily pressures of running a secure environment, the last thing you need is another curveball.
So here’s the good news: the Cyber Essentials 2025 update is a minor one.
But even small changes can trip you up if you’re not prepared.
That’s why IASME has released the details early—giving you time to plan ahead before the update goes live on 28 April 2025. Whether you’re renewing, applying for the first time, or supporting others through certification, knowing what’s changing now will save you time and stress later.
In this blog, we’ll break down the key updates to the Cyber Essentials Requirements for IT Infrastructure and Cyber Essentials Plus Test Specification—and more importantly, explain what they actually mean in practice.
We’re here to help you stay compliant and confident.
Quick Recap: What Is Cyber Essentials Certification?
IASME Cyber Essentials is a government-backed certification scheme designed to help organisations guard against the most common cyber threats. At its core are five technical controls that form the foundation of good Cyber Security hygiene.
IASME Cyber Essentials is a government-backed certification scheme designed to help organisations guard against the most common cyber threats. At its core are five technical controls that form the foundation of good Cyber Security hygiene.
These controls cover:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management
By meeting these standards, organisations demonstrate that they take Cyber Security seriously—not just internally, but across their supply chain. It’s a simple way to build trust with clients, partners, and stakeholders.
As technology advances and threats become more sophisticated, the scheme must evolve. Regular updates ensure the controls remain relevant and effective in today’s environment.
What’s Changing in Cyber Essentials Basic?
While the April 2025 update won’t bring sweeping changes, there are a few key updates to the Cyber Essentials Requirements for IT Infrastructure that are worth your attention. These changes are mostly centred around clarity, terminology, and the evolution of authentication and vulnerability management.
Let’s break them down.
Language and Terminology Updates: Let’s Get Cyber Essentials Certified
Two terminology updates have been made to reflect the way we use and talk about technology today:
- ‘Plugins’ is now ‘extensions’ – ‘Extensions’ is a broader, more widely recognised term that better reflects the variety of add-ons and integrations used in modern software environments.
- ‘Home working’ is now ‘home and remote working’ – Remote working isn’t just done from home—it includes locations like co-working spaces, trains, hotels, and even cafés. Any environment outside the organisation’s secure network perimeter now falls under this term.
Passwordless Authentication for Cyber Essentials Accreditation
Traditional passwords have long been a weak link in Cyber Security. They’re often reused, easy to guess, or stored insecurely. That’s why multi-factor authentication (MFA) became a requirement in Cyber Essentials back in 2022.
Now, the scheme is taking it a step further by recognising passwordless authentication methods.
Passwordless authentication removes the need for passwords altogether, instead using one or more alternative factors to confirm a user’s identity:
- Biometrics – such as fingerprints or facial recognition
- Security keys or tokens – like smart cards or USB keys
- App-based verification – using a mobile app to approve logins
- One-time codes or push notifications – typically sent to a trusted device
While the technology still relies on multiple factors, it no longer depends on knowledge-based credentials like a password. This approach reduces risk and improves user experience.
Vulnerability Fixes (Not Just Patches!)
Previously, the requirements referred to the need for “patches and updates” when managing vulnerabilities. This language has now been expanded to reflect the full range of vendor-approved fixes.
The term used from April 2025 onwards will be ‘vulnerability fixes’. This includes:
- Software patches and updates
- Registry fixes
- Configuration changes
- Vendor-supplied scripts
- Any other approved method for addressing a known vulnerability
What’s New in IASME Cyber Essentials Plus Requirements?
If your organisation already holds Cyber Essentials or is planning to take the next step with Cyber Essentials Plus, there are a few important updates to be aware of.
These changes don’t affect the technical controls themselves. Instead, they focus on how the Cyber Essentials Plus assessment is carried out and verified. In other words, they’re about clarity, consistency, and making sure assessments are robust.
Let’s take a closer look.
Scope Alignment Is Key
One of the biggest changes is around scope. From April 2025, the scope of the Cyber Essentials Plus assessment must match the scope of the Cyber Essentials self-assessment. This ensures consistency between both stages of certification.
What does this mean in practice?
If your self-assessment only covered a specific department or subset of your network, your Plus assessment needs to follow that same boundary. No last-minute scope changes. No grey areas.
Sub-Set Validation by Assessors
If your Cyber Essentials application doesn’t cover the whole organisation, the Assessor must now verify that any sub-sets have been properly segregated from the rest of the infrastructure.
This is to confirm that what’s “in scope” is clearly separated from what’s “out of scope”—and that no crossover could introduce risk.
Evidence Retention Requirements
Lastly, Certification Bodies must now retain all verification evidence for the lifetime of the certificate.
This change won’t affect your day-to-day operations, but it’s worth knowing. It introduces stronger accountability and ensures evidence can be reviewed or audited later if needed.
What Should You Do Now For Cyber Essentials?
The updated requirements won’t officially come into effect until 28 April 2025, but it’s worth preparing now—especially if you’re planning to renew or apply after that date.
A few small changes now can save time, confusion, and extra work down the line.
Here’s how to get ahead:
Make sure your internal policies, templates, and guidance reflect the new terminology. Check for things like:
- References to ‘plugins’ – update to ‘extensions’
- Mentions of ‘home working’ – update to ‘home and remote working’
- Any outdated language that could create confusion during your assessment
Now’s a good time to review how your users log in and access key systems. Ask yourself:
- Are you still relying mainly on passwords?
- Have you introduced multi-factor authentication across internet-facing services?
- Could you explore passwordless options such as:
- Biometric login (e.g. fingerprint or facial recognition)
- Security tokens or smart cards
- App-based authentication or push notifications
Even if full adoption isn’t feasible right now, starting the conversation internally will help shape your future strategy.
The shift to the term ‘vulnerability fixes’ means you may need to broaden your internal definitions. Fixes now include:
- Patches and updates
- Registry changes
- Vendor-supplied scripts
- Configuration changes
- Any other method approved by the software vendor
Make sure your vulnerability management process reflects this updated language—and that your teams understand what counts during assessments.
If your organisation is:
- Planning to renew soon, or
- Working towards Cyber Essentials Plus for the first time
It’s worth having a quick check-in with your Certification Body. They can advise on how these changes may apply to your specific situation and help you prepare.
By acting early, you’ll avoid last-minute surprises—and make sure your next Cyber Essentials assessment runs smoothly from the start.
Your Cyber Essentials Checklist Starts Here
While the 2025 updates to Cyber Essentials are relatively minor, they reflect the continued evolution of the scheme in response to changing technologies and working practices. For organisations looking to stay compliant—and stay ahead—it pays to prepare early.
Whether you’re applying for the first time or renewing your existing certification, we’re here to help. At Equilibrium, we make the process as smooth as possible, guiding you through every step and helping you pass with flying colours.
Need support with Cyber Essentials Basic or Plus?
Give us a call on 0121 663 0055 or email enquiries@equilibrium-security.co.uk – we’d love to help.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
About the author
