See our partnership program today!
April 2025 Update
The Cyber Essentials standard celebrated its 10th birthday this year, and each passing year typically results in updates to the scheme to ensure it remains relevant to the ever-evolving cybersecurity sphere. This widely adopted standard has helped organisations of all types and sizes implement simple but effective security controls to ward off commodity cyber-attacks. April 2025 will see the launch of the latest version, codenamed ‘Willow’. Here is a breakdown of the forthcoming update.
Passwordless Authentication
In a bid to keep up with the latest authentication methods, vendors are introducing “Passwordless” authentication, which has been added as one of the approved means for users to access systems or services where it is supported.
The premise of this authentication method is to utilise a factor other than user knowledge (i.e., password/passphrase) to establish identity. Examples include, but are not limited to, biometrics, trusted devices, one-time codes, QR codes, and push notifications.
Vulnerability Fixes
To ensure that applicants are properly applying security fixes, an improved definition has been recorded within the official guidance documents. Previous iterations of the scheme would simply refer to “Security Patches” when referencing updates vendors publish. The new term is more inclusive of the multitude of methods suppliers may deploy fixes, e.g., registry fixes, configuration changes, or running scripts provided by the vendor.
Sub-Sets Segregation
When applicants utilise the sub-set clause effectively to segregate a portion of a network environment, whether it is due to isolation of a business function, de-scoping unsupported systems/services, or other scoping requirements, here is the official definition set out by IASME:
“Part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.”
Further emphasis has been placed on assessors to verify by technical means that when the Cyber Essentials self-assessment scope is not ‘Whole Organisation’, any sub-sets have been segregated effectively.
Other Updates
Further clarity and improvements have been made to the official guidance published by the National Cyber Security Centre (NCSC) and their delivery partner IASME. The following points have now been documented and emphasised.
- The scope of the Cyber Essentials Plus assessment must match the associated Cyber Essentials self-assessment and be verified by the assessor.
- The assessor must verify that the device sample size has been calculated correctly using the method determined by IASME.
- All verification evidence must be retained by the certification body for the lifetime of the certificate.
Want to read more on the changes due in April 2025? Here are some links:
Get in Touch
If you are looking to certify for the first time or are seeking a new Cyber Essentials delivery partner. Pentest Cyber is the certification body for you.