Cyber Essentials April 2025 Update:

Since 2014, the government-backed certification standard Cyber Essentials has been helping UK businesses of all shapes and sizes guard against the most common types of cyber attacks. If you store data or have digital assets, Cyber Essentials can help keep them safe. 

As of April 2025, significant updates have been implemented to the Cyber Essentials (CE) and Cyber Essentials Plus (CE+) certification schemes to ensure they remain relevant in today's evolving digital landscape. These changes, introduced in the "Willow" version effective 28 April 2025, seek to strengthen cyber security standards and address modern working practices.

Enhanced authentication methods

The 2025 update expands beyond the multi-factor authentication requirements introduced in 2022 to include passwordless authentication options such as:

• Biometrics
• One-time codes
• QR codes
• Security tokens
• Push notifications

These methods significantly reduce risks associated with password reuse and phishing attacks by eliminating traditional password vulnerabilities.

Remote work recognition

Terminology has changed from "home working" to "home and remote working," acknowledging that employees frequently access company systems from various untrusted locations, including hotels, cafes, and public transport.

Organisations must implement robust security measures for all remote access scenarios, with a mandatory assessment of cloud security configurations.

Vulnerability management enhancement

The scheme now provides a more precise definition of "vulnerability fixes" extending beyond traditional patching. This broader approach encompasses the following:

• Registry fixes
• Configuration changes
• Scripts
• Other vendor-approved remediation methods

Under the new Willow specification, the business must resolve all vulnerabilities rated as high or critical risk (CVSS v3.1 base score of 7.0 or above) within 14 days of releasing a fix.

Audit timeline

CE+ assessments may start soon after a 72-hour notice

CE+ requires the completion of technical audits within 30 days of a notice being served. However, from the point of notice, the assessment could start after a 72-hour (or 3 working days) timeframe has been observed, emphasising that cyber security must be "business as usual" rather than a periodic compliance exercise.

International standards alignment

The updated framework aligns more closely with global cyber security standards, including those from the National Institute of Standards and Technology (NIST). This alignment enhances credibility for UK businesses working with international partners and clients. 

In April 2025, NCC Group released the 3rd edition of our Global Cyber Policy Radar Report, enabling businesses to deeply understand and meet their domestic and international compliance obligations. Download your free copy here. 

For over a decade, we've been helping our clients to prepare as best as possible before submitting the self-assessment questionnaire (SAQ) by conducting vulnerability scans, recommending and supporting any fixes, patches, or updates, and outlining any other remediation actions required ahead of obtaining your CE/CE+ certification. 

Our Cyber Essentials services are conducted exclusively by experienced specialists with the skills and qualifications needed to meet the requirements set out by NCSC. We'll introduce you to one of our dedicated CE assessors, who have a wealth of technical and compliance expertise across the cyber landscape. 

The assessment team operates seamlessly and will conduct their work without creating any disruption or operational downtime to your business. Most our services can even be undertaken entirely remotely and within hours of finalising your needs. 

Why are we so confident we can help? 

Not only do we have an excellent track record, but we also evaluate SAQ submissions on behalf of IASME. For an extra bit of insight, here are some of the "Do's and Don'ts" we've captured based on our recent CE projects and evaluations: