Key Changes in Cyber Essentials Requirements for 2025 and How to Prepare 

In today’s rapidly evolving digital landscape, keeping up with cyber security standards is essential to protecting sensitive data and ensuring business continuity. The Cyber Essentials and Cyber Essentials Plus schemes, backed by the UK government, provide a clear framework to help organisations enhance their cyber security. 

Cyber Essentials requirements are updated regularly, with the previous version, 3.1, published in April 2023, and the latest, Version 3.2, coming into effect on 24th April 2025. These updates ensure the scheme remains relevant in addressing new cyber threats and adapting to technological advancements. As the standard is reviewed annually, this update highlights the evolving landscape of cyber security and the importance of staying compliant to protect sensitive data and maintain client trust. 

‘Cyber Essentials: Requirements for IT Infrastructure Version 3.2’ (CEv3.2) introduces updates aimed at addressing modern threats and work environments. Here’s an overview of the changes and practical steps for preparing your firm. 

Key Updates in Cyber Essentials Version 3.2 

1. Modern Work Environments

To reflect today’s varied work settings, ‘Home Working’ has been expanded to ‘Home and Remote Working’. This update acknowledges work taking place in public spaces or coworking hubs, ensuring security measures apply to all scenarios. 

2. Passwordless Authentication

Passwords have long been a vulnerability in cyber security. The new guidance highlights the shift to passwordless authentication methods such as biometrics (e.g., fingerprints), physical security keys, one-time codes, and push notifications. These methods reduce risks associated with stolen or weak passwords while improving user convenience. 

3. Expanded Vulnerability Management

The term ‘patches and updates’ has been broadened to include ‘vulnerability fixes’. This change recognises additional methods for addressing security issues, such as registry adjustments, configuration changes, and scripts provided by vendors. 

4. Refinements in Cyber Essentials Plus

Cyber Essentials Plus introduces stricter requirements to improve assessment consistency. Key updates include: 

• Scope Alignment: The scope defined during self-assessment must now match the Plus assessment scope. 

• Partial Assessments: Assessors must verify proper segregation for subsets of an organisation’s IT infrastructure. 

• Device Sampling: Assessors will confirm that device samples align with guidelines for thorough testing. 

• Evidence Retention: Certification bodies must keep evidence supporting assessments for the validity period of the certificate. 

 

How to Prepare in 6 Key Steps 

Adapting to these changes requires a proactive approach. Here are six key steps: 

1. Review Policies and Procedures – Review and update your policies to align with the latest requirements, focusing on areas like remote working and passwordless authentication. For example, ensure your remote working policy requires the use of up-to-date devices and introduce passwordless methods like fingerprint or facial recognition for secure access. 

1. Train Your People – Ensure your team understand the new standards. Training should include vulnerability management techniques and the use of advanced authentication methods. Implementing regular, engaging training sessions helps maintain a high level of awareness and better equips individuals to respond to evolving cyber threats. 

1. Implement Passwordless Authentication – Start moving away from traditional passwords by using passwordless methods, such as fingerprints or facial recognition. For example, business-grade laptops like Dell Latitude 5550 models include fingerprint readers that allow your computer to recognise your fingerprints as a password. Similarly, Windows Hello facial recognition can add another layer of security. However, simply adopting these technologies isn’t enough without the right policies in place. Conditional access policies, which allow users to log in only on approved, secure corporate devices, are a critical part of the zero-trust architecture approach. This ensures that only compliant devices meeting your organisation’s security standards can access sensitive systems and data. Without taking steps like these, you risk leaving gaps in your defences that could expose your organisation to cyber threats. Educating your team on these risks is key to staying ahead in today’s evolving cyber security landscape. 

1. Broaden Vulnerability Management – Incorporate a wider range of fixes, including vendor-provided scripts and configuration changes, to address vulnerabilities. Regularly restarting your computer can help ensure that updates and fixes are fully applied, as some updates only take effect after a reboot. It’s not a direct fix for vulnerabilities, but it supports the process by allowing changes, such as software updates or configuration tweaks, to properly install and take effect. Restarting also helps clear temporary files and can improve your computer’s performance and stability. 

1. Prepare for Cyber Essentials Plus – Get ready for Cyber Essentials Plus by checking that what you included in your initial self-assessment matches what will be checked during the Plus certification process. Make sure you have clear processes in place to separate parts of your IT system where needed and to select devices for testing in a way that meets the certification rules. 

1. Keep Comprehensive Records – Document all cyber security measures and retain evidence for the certificate’s duration to streamline the verification process. Keep clear records of all your cyber security measures, such as software updates, staff training, and steps taken to fix vulnerabilities. This documentation is essential for maintaining your Cyber Essentials certification and showing your commitment to security. Partnering with an IT managed service and security provider like Lugo can simplify this process, as every change is tracked and recorded, ensuring your organisation stays compliant and prepared for verification checks. 

 

Benefits of Adherence 

By implementing these updates, organisations can stay ahead of evolving threats while demonstrating their commitment to security. For accountants who handle sensitive financial data, compliance with Cyber Essentials not only ensures protection against cyber attacks but also reassures clients and stakeholders. 

Additionally, many cyber insurance policies now require organisations to be Cyber Essentials certified, which could influence premiums and coverage. You can verify certifications through this website: https://iasme.co.uk/cyber-essentials/ncsc-certificate-search/  

 

Final Thoughts 

The changes introduced in CEv3.2 reflect a forward-looking approach to cyber security, addressing both technical and practical challenges. By embracing these updates and preparing strategically, organisations can strengthen their defences, safeguard data, and build client trust. 

Whether you’re renewing your Cyber Essentials Certification or going through the process for the first time, detailed guidance on preparing for Cyber Essentials certification in 2025, can be found on our ICAS IT Partner’s website: Lugo. If you have any questions, please email cyber@LugoIT.co.uk or call 03300 242 242 and Lugo will be happy to assist.