Executive Summary
- As is quickly becoming a festive tradition, the NCSC is once again updating its Cyber Essentials scheme in April 2025 with version 3.2.
- The focus this time is to clean up some definitions, updating the approach to authentication, and some other small bits of housekeeping and fine-tuning.
- The key changes you should know about are: wording updates (e.g. “plugins” becoming “extensions”), the official inclusion of “remote working,” and the recognition of passwordless authentication-plus a broader definition of “vulnerability fixes.”
Introduction
Let’s be honest, keeping up with cybersecurity can feel like something of an uphill battle.
Just when you think you’re getting on top of things, the threat landscape shifts, and boom! A new vulnerability rears its head.
That’s exactly why schemes like the Cyber Essentials, run by the UK’s National Cyber Security Centre (NCSC), are so vital. They give organisations like yours a baseline of security, helping you fend off the most common cyberattacks. And to keep that baseline effective? Well, you’re going to need some updates.
So, what’s coming for Cyber Essentials in 2025? Good news: it’s not a massive overhaul like we saw back in 2022. This time, it’s more about fine-tuning and sharpening things up.
Here’s how.
Why does Cyber Essentials change so often?
“Another update already?” we hear you ask-and it’s a fair point.
But the reason Cyber Essentials keeps changing is simple: the cyber threat landscape is a moving target. Cybercriminals are constantly cooking up new ways to exploit weaknesses, and tech is always evolving. If Cyber Essentials didn’t keep pace, neither would the organisations that rely on it to keep their cybersecurity protocols ship shape.
We’ll summarise the most important updates from the April 2025 Cyber Essentials requirements (version 3.2) below, but if you’ve got some time to kill, you can find the full 29-page document here.
Terminology tweaks
Even in cybersecurity, words matter. That’s why the NCSC has made a couple of minor wording changes in version 3.2 to make things clearer.
- “Plugins” become “extensions”: “Plugins” is already widely understood, but it’s being swapped for the term “extensions.” The rationale is that it’s a more accurate and standardised way to describe this type of software.
- “Home working” becomes “home and remote working”: With flexible working being the norm now, many of us are no longer confined to either the office desk or the kitchen table. People are working from all sorts of places-cafes, trains, you name it. So, “home working” is becoming “home and remote working” to reflect this new paradigm.
Say goodbye to “Password123”
Passwords. It’s a topic that we’ve covered in great depth here at Get Support.
And, as has always been the case, passwords remain a significant weak spot in an organisation’s security. That’s why passwordless authentication is such a big move in the right direction.
With the April 2025 update, Cyber Essentials is now officially on board with passwordless authentication. This means things like biometric authentication (fingerprints, face ID), security keys, one-time codes, and push notifications are now part of the Cyber Essentials picture.
It’s a big step towards a future where remembering endless passwords is a distant memory… and we’ll drink to that!
Vulnerability fixes
No matter how good your software may be, there’s always the chance for a vulnerability to rear its ugly head. Luckily, vendors like Microsoft release regular patches and updates to fix them.
But fixes aren’t always just patches.
With this in mind, Cyber Essentials is moving from the terminology “patches and updates” to the broader term “vulnerability fixes.” This covers patches, updates, registry fixes, configuration changes, scripts-basically, anything the vendor recommends to fix a known vulnerability.
Changes to the Cyber Essentials Plus test specification document
The Cyber Essentials Plus Test Specification document is essential for assessors carrying out Cyber Essentials Plus assessments for certification bodies like the IASME.
It’s practically the rulebook for the “Plus” level of certification, advising of the tests and criteria organisations need to meet to get that higher level of assurance. It’s also available publicly so organisations can get an idea of what to expect.
Here’s what’s changing with v3.2:
- “Illustrative” has been dropped from the title, making it crystal clear that this is the document assessors must follow.
- The Cyber Essentials Plus assessment scope must match the Cyber Essentials self-assessment scope.
- If the self-assessment isn’t “whole organisation,” the assessor has to double-check that any sub-sets are properly separated.
- The assessor must verify the device sample size calculation.
- And finally, all verification evidence must be kept by the Certification Body for as long as the certificate is valid. This is for audit purposes and accountability.
Want to know more about Cyber Essentials?
If you’re looking to give your customers the confidence to know that your organisation really cares about cybersecurity, the Cyber Essentials certification is a great way to do that.
If this is the first you’re hearing of it, or you’d like to know more about how to get started, ask your Get Support Customer Success Manager or call us on 01865 594000.
