GDPR & Data Protection

Cyber Essentials Changes for 2025

Bulletproof explores 3 key changes in Cyber Essentials for 2025 to see what it means for your business.

Matty Dunlop Headshot

Matty Dunlop Cyber Essentials Team Lead

09/09/2024 3 min read

Introduction

IASME, the people who define what the Cyber Essentials scheme is, review the scheme continuously. This means there are regular updates both to the questions and to the marking scheme that assessors have to follow. Usually this has meant annual ‘version number’ changes, but in 2024 we did not see a new question set released. All that looks set to change, however, as in 2025 a new question set called Willow is lined-up for release in April.

Share this Article

Cyber Essentials 'Willow' is coming

You may be asking, “why are they changing the questions?” Well, the threat landscape is always changing, so the way we react to those threats needs to change too. This is the only way to make sure that your business stays secure, in addition to it bringing the scheme up-to-date with current security practices. Cyber Essentials will still continue to focus on the five key technical controls which are the best first line of defence against a potential threat.

So, what changes will we be looking at in April 2025? I’ll be taking a look at 3 specific changes introduced in Willow and explaining the rationale behind them.

Change 1: Definitions

Perhaps surprisingly, a lot of the changes are around definitions. Making sure questions are clear and being applied to the right areas of your organisation can add up to a significant difference to your security posture. We should see a number of better descriptions and resources provided to applicants with links to IASMEs CE Knowledge Hub with information on all different areas of the assessment.

For example, question A2.7.1 was, “How many staff are home workers?”, this is changing to “How many staff are home or remote workers?”

You may think that you would include remote workers in the original question of home workers, but unfortunately we’ve found many organisations that wouldn’t, and need guidance to make sure the right workers are being considered in the answer. With this simple change in wording, it will leave less space for ambiguity.

10 Point Security Checklist 10 Point Security Checklist

Download Free 10-point security checklist

Learn everything you need to know to take your cyber security strategy from zero to hero. Boost your security defences & plan your strategy with our free 10-point security checklist

Download the checklist now

Change 2: Passwordless logins

In addition to definition changes, we also see the inclusion of passwordless logins. Previously, questions around logins focused on passwords and MFA (multi-factor authentication), but as technology continues to evolve, we see more and more widespread adoption of passwordless authentication where more than one factor of authentication can be used without a password. This could be biometrics combined with a one-time code, or the use of a security key or token with a push notification from a smartphone to approve the login.

Even with passwordless authentication, there can still be a password backup option, so just because you use passwordless, you must still ensure that, if there is a password option, all technical controls on password quality and brute force protection are applied.

It is great to see passwordless included in this latest update as it will open up more secure methods of authentication to choose from, and shows that Cyber Essentials is putting in the work to keep its place as a relevant, sought-after certification.

Change 3: How we think about vulnerabilities

Lastly, we see a change in relation to vulnerability management. Previously, Cyber Essentials focused on ensuring that all ‘high’ and ‘critical’ vulnerabilities were patched. However, vendors and manufactures also offer other ways to remediate vulnerabilities such as providing registry fixes, configuration changes or running scripts.

Cyber Essentials will move from just “patches and updates” to “vulnerability fixes” as a whole. This is a key part of a wider shift in how we think about vulnerabilities: they’re a problem to be solved, not a hole to be patched.

Practically this means that any method of fix approved by the vendor to remediate a known vulnerability must be applied to achieve certification.

This is very important as by only covering fixes applied by patches and updates can lead to companies ignoring those other vulnerabilities which could leave them at risk. The change will help push organisations to keep up to date with latest vulnerabilities and making sure that fixes are applied beyond a simple patch.

Bulletproof are prepared to help

Here at Bulletproof, we’re already working hard to make sure we are ready for the changes as our official Cyber Essentials Assessors and Cyber Advisors familiarise ourselves with the new questions and guidance. For any organisation to get the most out of Cyber Essentials, it helps to have someone work through it. Our CE Assessors are on-hand to support you through your assessment with guidance and support that’s included in all our Cyber Essentials offerings.

Matty Dunlop Headshot

Meet the author

Matty Dunlop Cyber Essentials Team Lead

Matty is Bulletproof’s Cyber Essentials Team Lead, and enjoys taking a big-picture view of how we can help customers get the most out of their CE certification. He’s always up-to-date on the latest changes and takes pride in building a great team of Cyber Essentials & Cyber Essential Plus Assessors.

Win new business & protect your data

Get the right level of support with Bulletproof’s Cyber Essentials packages – includes cyber tools you need to pass certification.

Get started today

Related resources


Trusted cyber security & compliance services from a certified provider


Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.