Updates to the cyber essentials certification: everything you need to know

Cyber Essentials is an assessment framework designed to ensure you have protection against a wide variety of the most common cyber attacks. This is important to improve resistance to script kiddie attacks against opportunistic attackers and is a minimum requirement for bidding on government contracts or similar.

This year, the NCSC (National Cyber Security Centre) announced several changes to the Cyber Essentials technical requirements that businesses will need to meet to achieve their Cyber Essentials certification.

What updates have been made to the cyber essentials certification?

Home working

Anyone who works from home (for any amount of time) is classed as a home worker. The devices they use to access the businesses systems and data are now included in the scope of the Cyber Essentials certification.

However, the rules for routers have changed. If the router has been supplied by an Internet Service Provider, it is not included in the scope of the certification (the responsibility for firewalls etc is put on the device being used to access the internet), but if the router has been supplied by the business, it is included in the scope and must have the Cyber Essentials controls applied.

Cloud services

All cloud services (including Infrastructure as a Service, Platform as a Service and Software as a Service) are now included in the scope of the Cyber Essentials technical controls. Thus, any business that uses the cloud to host data or services must ensure that they implement the Cyber Essentials controls.

MFA (Multi-Factor Authentication) is now required for all cloud services to provide extra protection to all accounts (particularly administrator accounts) accessing the cloud.

Passwords & Access

  • Several rules have been introduced to improve password and device security:
  • Devices must be locked with biometrics OR a password of at least 6 characters
  • Multi-factor authentication should be used in conjunction with a password of at least 8 characters OR a password with at least 8 characters that will be subject to an automatic block of common passwords
  • Passwords with a minimum length of at least 12 characters can be used without MFA or automatic blocks
  • There must be a separate account used only for administrative tasks to avoid the privileges of administrative access being exposed to risks through standard user activities like emailing and web browsing.

The recommendation for creating new passwords is now to choose three random words – making it long, unique, and difficult to guess.


All software used must be licensed or supported – and removed from devices when it becomes unsupported.

Any updates that are described by the vendor as ‘critical’ or ‘high risk’ (or updates addressing vulnerabilities with a CVSS v3 score of 7 or above) must be applied manually within 14 days if these are not automatically applied. Where possible, software updates should be automatically enabled.


Several changes have been made to what is now included in the scope of the cyber essentials certification, including:

  • Thin clients are now in scope when they connect to organisational information or service since, while they can’t hold much data, they can connect to the internet and are therefore vulnerable to attacks.
  • All servers (including virtual servers) are in scope for both sub-set and whole organisation assessments
  • All smartphones and tablets that connect to organisational data and services via a corporate or mobile network – this doesn’t include devices that are only used for calls, text messages, or MFA applications.
  • End-user devices must now be included in the scope of the assessment. This helps organisations to avoid the threats that come from their administrators who administer server systems when organisations previously certified their server systems only.

Cyber Essentials is becoming increasingly important for organisations wishing to obtain government contracts and demonstrate their cyber security credentials to others in their supply chain. Considering getting your Cyber Essentials certification? Check your current situation with the Cyber Essentials Readiness Toolkit from delivery partner IASME.

Byte Security Ltd consultants have strong experience with both Cyber Essentials (Self-Assessment) and Cyber Essentials PLUS ready to help you audit your organisation and implement changes needed to meet the technical controls for your certification.

Get in touch to book your free consultation.