Guest blog (Littlefish): Cyber Essentials April 2025 Update: What you Need to Know
The UK government-supported Cyber Essentials program has long since been a pivotal framework for helping businesses safeguard against cyber threats.
Regularly updated to ensure it remains effective, Cyber Essentials’ latest changes will come into force April 28, 2025, and all further applications will be assessed against the updated standards.
New in the Cyber Essentials Requirements for IT Infrastructure Document:
1. Passwordless authentication
Following the mandated use of multi-factor authentication in 2022, new technology for account access will be introduced to allow secure identity verification without traditional passwords.
2. Software definition updated
The software definition now includes the term ‘extensions’ instead of ‘plugins’, offering improved accuracy.
3. Vulnerability fixes added
The term ‘vulnerability fixes’ will also replace the old phrasing ‘patches and updates’. This is to offer a more comprehensive understanding of the process of vulnerability assessment.
4.‘Home working’ phrase extended to ‘home and remote working’
Terminology will also be updated to encompass all forms of remote work, including work conducted outside of the home or office.
Updated in the Cyber Essentials Plus Test Specification:
1.New verification pointers introduced
As well as removing the word ‘illustrative’ from the document name, new verification pointers have been added to ensure the Cyber Essentials Plus assessment scope aligns with the self-assessment certificate.
2. Verification of segregation by sub-set added
Guidelines have been added to confirm that any organisational subsets have been properly segregated using technical methods prior to testing.
3. Verification of sampling added
The last update in the Cyber Essentials Plus document is the verification of sampling addition. This emphasises the need for a representative sample of devices during testing and provides specific guidance on how to determine an appropriate sample size.
Why achieving Cyber Essentials status matters:
1. Rising cyber threats
Cyber-crime continues to grow in scale and sophistication, with attacks becoming more targeted and disruptive.
2. Compliance requirements
Adhering to cyber security best practices is no longer just good business sense; it is a legal and regulatory
3. Boosting business reputation
In a competitive market trust is a key differentiator. Clients and partners increasingly seek assurance that their data is handled securely.
4. Facilitating public sector contracts
Many UK government contracts require Cyber Essentials certification as a prerequisite.
Steps to achieve Cyber Essentials Certification in 2025:
Getting certified under the updated Cyber Essentials program involves several steps:
1. Assess your current cyber security measures
Begin by reviewing your organisation’s existing cyber security practices against the Cyber Essentials requirements. Identify gaps and areas for improvement.
2. Implement necessary changes
Address any identified weaknesses by implementing the required controls. This may involve updating software, configuring firewalls, deploying security patches, or formalising your incident response plan.
3. Complete the self-assessment questionnaire
The certification process starts with a self-assessment questionnaire (SAQ), which evaluates your compliance with the Cyber Essentials controls. The questionnaire must be submitted to an accredited certification body for review.
4. Undergo a technical audit (for Cyber Essentials Plus)
For organisations seeking the more advanced Cyber Essentials Plus certification, a technical audit is required. This involves a hands-on assessment of your IT systems by a qualified assessor to verify that the controls are implemented effectively.
5. Achieve certification
Once your application is approved, you will receive your Cyber Essentials certificate, which is valid for one year. To maintain certification, you’ll need to complete the process annually and keep up with any new updates to the framework.
techUK - Putting AI into Action
techUK’s Putting AI into Action campaign serves as a one stop shop for showcasing the opportunities and benefits of AI adoption across sectors and markets.
During this campaign, techUK will run a regular drumbeat of activity, including events, reports, and insights, to demonstrate some of the most significant opportunities for AI adoption in 2025, as well as working with key stakeholders to identify and address current barriers to adoption.
Visit our AI Adoption Hub to learn more, or find our latest activity below.
Upcoming AI Adoption events
Latest news and insights
Sign-up to get the latest updates and opportunities across Technology and Innovation & AI.
Contact the team
Usman Ikhlaq
Usman Ikhlaq
Usman joined techUK in January 2024 as Programme Manager for Artificial Intelligence.
His role is to help techUK members of all sizes and across all sectors to adopt AI at scale. This includes identifying the barriers to adoption, considering solutions and how best to maximise AI's potential.
Prior to joining techUK, Usman worked as a policy, government affairs and public affairs professional in the advertising sector. He has also worked in sales and marketing and FinTech.
Usman is a graduate of the London School of Economics and Political Science (MSc), BPP Law School (GDL and LLB) and Queen Mary University of London (BA).
When he isn’t working, Usman enjoys spending time with his family and friends. He also has a keen interest in running, reading and travelling.
Learn more about our AI Adoption campaign:
Authors
Shruti Chaudhary
Shruti Chaudhary is Associate Information Security Consultant at Littlefish, a UK-based, award-winning managed IT, cyber security, and Microsoft business solutions service provider.