Upcoming Changes to the Cyber Essentials Question Set in April 25 Update

The Government approved Cyber Essentials scheme, designed to bolster cyber security across organisations of all sizes, is set to receive an update. This scheme helps businesses demonstrate their commitment to essential cyber security standards. Achieving a Cyber Essentials certification not only assures customers and partners of an organisation's adherence to these standards but also signifies a trustworthy approach to data and business protection.

Since 2020, the Cyber Essentials scheme has seen the release of three updated versions, with the latest being version 3.1 published in April 2023. The National Cyber Security Centre (NCSC) and IASME regularly review and update the scheme to ensure its relevance and effectiveness. The updated Cyber Essentials version 3.2 will officially come into effect on the 28th of April 2025.

The release of version 3.2 and its associated updates reflects the commitment to refining and enhancing cyber security practices for businesses.

Key changes in the upcoming version 3.2 include:

Software Terminology Update:

• 'Plugins' will be changed to 'extensions' for more accurate terminology.

Remote Working Update:

• 'Home working' will be updated to 'home and remote working', acknowledging the use of untrusted networks (e.g., cafes, hotels) beyond home environments.

Passwordless Authentication:

The Willow Question Set introduces passwordless authentication as an acceptable method for securing firewalls, routers, and other critical systems. This includes methods such as biometric authentication, hardware security keys, and one-time codes. While these passwordless systems offer a more secure alternative to traditional passwords, they may still require additional protections such as brute-force attack protections or backup password methods to ensure robustness.

It will be defined similarly to multi-factor authentication: “Passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity.”

Vulnerability Fixes Terminology Update:

In addition to changing the terminology from "patching" to "vulnerability fixes," this update also clarifies that fixes are not limited to traditional software patches.

The term "vulnerability fixes" now includes configuration changes, registry updates, and script modifications, particularly for vulnerabilities with a CVSS score of 7 or higher, or those classified as high or critical risk.

This broadens the scope of actions that can be considered part of a security fix, ensuring a more comprehensive approach to addressing vulnerabilities.

Cyber Essentials Plus Test Specification Document Changes:

• The word 'illustrative' will be dropped from the name of the document.

• The scope of the Cyber Essentials Plus assessment must match the Cyber Essentials self-assessment and be verified by the Assessor.

• For non-'whole organisation' scopes, Assessors must verify that any sub-sets are properly segregated.

• Assessors must ensure the device sample size is calculated correctly using IASME's method.

• Certification Bodies must retain all verification evidence for the certificate's lifetime.

Organisations that initiate assessments before the April 2025 transition will continue to operate under version 3.1. This includes any assessment accounts created before the transition date.

What These Changes Mean for Your Business and Managed Service Providers

The new Willow Question Set will have a positive impact on businesses, providing clearer guidance and making the Cyber Essentials assessment process more intuitive and streamlined. These updates are designed to help businesses better align with modern cyber security practices, ensuring that they are better protected against evolving threats.

For businesses seeking Cyber Essentials Plus certification, the scope must now align with the self-assessment, meaning that the assessment must cover all relevant systems and devices. Additionally, the verification process has been enhanced, with a stronger emphasis on Assessor reviews to ensure that businesses meet the required standards.

Managed Service Providers (MSPs) will also see a more straightforward process for customers seeking Cyber Essentials and Cyber Essentials Plus certifications. The updated question set will enable clients to complete the certification with less support, while MSPs will be better equipped to guide their customers through the new requirements.

For more information on Cyber Essentials & Cyber Essentials Plus certifications, click here.