Get an in-depth insight into your Microsoft security posture with assess365.

Learn more
Close Notice

Five key changes to the Cyber Essentials scheme in 2022

Posted : 11 January 2022

Posted In : Blogs


As the way we work continues to evolve, it’s important for your organisation to demonstrate that it has an up-to-date level of protection from current cyber-attack vectors. The Cyber Essentials (CE) certification scheme is responding to this challenge by refreshing their criteria for certification as of January 2022.

By Nick Catling, January 2022

Press F5 to refresh

Cyber Essentials is a Government-backed scheme designed to guard against the most common internet based cyber security threats. It allows organisations of all sizes to demonstrate their commitment to cyber security and protects organisations from 80% of attacks. IASME is the UK National Cyber Security Centre’s Cyber Essentials Partner, responsible for the delivery of the scheme.

Meeting the challenge
The latest changes were developed as a result of feedback from CE assessors and applicants, as well as discussions with the Cloud Industry Forum. CE is updating its technical controls which cover five main areas to ensure best practice across:

  1. Firewalls
  2. Device configuration and passwords
  3. User access controls and permissions
  4. Endpoint malware protection
  5. Software security updates

This will be the first time the technical controls have significantly changed since the release of the scheme in 2014., and the changes will come into force on 24th January 2022.

The five main changes to CE
There are, according to IASME, 15 changes being made to the technical controls, and you can find more details on each on their website. Here are five highlights of what will now be included in CE certification as of next year:

In addition, if you are working towards Cyber Essentials Plus, there are two new tests for the Plus audit.

The changes to the technical controls are more comprehensive and secure due to the new way we now work. Devices are being used more frequently outside of an office environment, so BYOD policies, Zero Trust methodologies and remote access to networks are now all high priorities for most security teams.

What to expect
As of January, the new CE certification process will apply to the Cyber Essentials self-certification questionnaire and Cyber Essentials Plus. Any organisation that registers and pays for the certification before this date will be assessed using the existing scheme and will include the usual six months in which to complete the assessment.

IASME acknowledge that not all parts of the updated technical controls will be quick and easy to implement. As a result, they are providing a grace period of one year to allow organisations to make appropriate changes, but only for the following requirements:

  • MFA for cloud services – Administrator accounts will be part of the scope from January 2022, with User accounts being included from January 2023.
  • Thin clients – This new question will be for information only for the first 12 months, however come January 2023 CE requires thin clients to be supported and receive security updates.
  • Security Update Management – For the first 12 months the removal of unsupported software question will be for information only, coming into scope in January 2023.

These new CE questionnaires are already available to download from IASME’s website so I encourage you to take a look. This will give you a head-start whether you are planning to re-certify next year or get CE for the first time.

Where to go to get cyber-secure
To conclude, this update is a significant evolution of the UK’s go-to cyber threat certification for today’s new era of hybrid work. If you’re interested in obtaining the Cyber Essentials certification, then please do get in touch.

Softwerx are Cloud Industry Forum founding members, Cyber Essentials Plus certified, and are partnered with IT Governance to help organisations get CE certified. For a limited period of time we’re offering a discounted price for the Cyber Essentials certification.

Cyber Essentials is a basic level of cybersecurity assurance you would overlook at your own risk.


Search insights

Share this insight

Related insights

Getting started with us couldn’t be easier.

Just use the form or call us on +44 (0) 1223 834 333 to set up a call.