What Are The Changes to Cyber Essentials in April 2025?

In April 2025 there will be changes to Cyber Essentials and Cyber Essentials Plus here's what you need to know.

‍

What’s Changing in Cyber Essentials in April 2025?

The upcoming April 2025 update, Version 3.2, introduces minor refinements primarily focused on terminology. Here’s a breakdown of what’s new:

‍

• Software Terminology Update: The term ‘plugins’ has been changed to ‘extensions’ for greater accuracy, in line with modern software terminology.
• Remote Work Definitions: Recognising that remote work doesn’t just mean working from home, ‘home working’ has been updated to ‘home and remote working.’ This change acknowledges that working outside a company’s network often involves untrusted environments, from cafes and hotels to trains and other public spaces.

‍

A Focus on Passwordless Authentication

Periculo knows that passwords are a weak link in cybersecurity. The growing shift towards passwordless authentication reflects the need for stronger, more reliable forms of identity verification. Passwords, while easy to use, are susceptible to being reused, forgotten, or hacked. Cyber Essentials addressed this vulnerability in 2022 by requiring multi-factor authentication (MFA) for all internet-facing accounts.

‍

The 2025 update goes further by formally recognising passwordless technology, which eliminates passwords entirely. These solutions use multiple forms of authentication, including digital certificates, cryptographic techniques, or biometric verification combined with app-generated codes. Cyber Essentials now defines passwordless authentication as “an authentication method that uses a factor other than user knowledge to establish identity.”

‍

Examples of passwordless methods that we recommend to our clients include:

• Biometric Authentication: Validates identity using fingerprints, facial features, or other unique biological markers.
• Security Keys or Tokens: Physical devices like USB keys or smart cards, adding a layer of physical security.
• One-Time Codes: Temporary codes sent to users via email, SMS, or an app.
• Push Notifications: A prompt on a smartphone where users can approve or deny login attempts.

‍

Passwordless technology significantly reduces the risks associated with traditional passwords and supports a more secure user experience.

‍

Enhanced Focus on Vulnerability Fixes

With the April 2025 update, Cyber Essentials has shifted from ‘patches and updates’ to a broader ‘vulnerability fixes’ term within its security update management section. This update clarifies that there are multiple ways to resolve software vulnerabilities, and the fix may come in various forms beyond standard patches, including registry tweaks, configuration changes, or vendor-provided scripts.

‍

For Periculo clients, here’s what this update means: under the term ‘vulnerability fixes’, you’ll have flexibility in how your organisation addresses vulnerabilities, as long as fixes are vendor-approved. By covering every type of remediation, this change helps you achieve compliance and stay secure against new threats.

‍

Updates to the Cyber Essentials Plus Test Specification Document

The Cyber Essentials Plus Test Specification document, designed for assessors performing Cyber Essentials Plus evaluations, will see several key changes that affect clients undergoing this assessment:

‍

• Name Simplification: The word ‘illustrative’ will be removed from the document title.
• Aligned Assessment Scope: The assessment scope for Cyber Essentials Plus must directly match the self-assessment scope and be verified by the assessor.
• Scope Validation for Partial Assessments: If the Cyber Essentials self-assessment covers only part of the organisation, the assessor must verify that the sub-sets are correctly segregated.
• Correct Calculation of Device Sample Size: The assessor will confirm that the device sample size aligns with the IASME’s guidelines.
• Evidence Retention: All verification evidence must be retained by the Certification Body for the certificate’s duration, ensuring transparency and accountability.

‍

These updates ensure that Cyber Essentials Plus assessments remain rigorous and consistent, providing you with an objective validation of your cybersecurity controls.

‍

How Periculo Can Help

Navigating these updates doesn’t have to be a challenge. At Periculo, we’re here to ensure that you’re always a step ahead in cybersecurity. Our team can guide you through the new requirements, help implement passwordless authentication solutions, streamline your vulnerability management processes, and support you in achieving and maintaining Cyber Essentials Plus certification.

‍

Want to stay secure and compliant in 2025? Contact Periculo today to find out how we can help your organisation adapt to the latest Cyber Essentials requirements and continue protecting what matters most.