From the 28th of April 2025, the Cyber Essentials and Cyber Essentials Plus requirements will change to address software vulnerabilities comprehensively.
This update is a significant step towards improving cyber security amongst businesses and ensuring they have a strict set of guidelines to follow for resilience against cybercrime.
In this blog post, we will discuss what Cyber Essentials (CE) and Cyber Essentials Plus (CE+) are, what the upcoming changes include, the challenges small businesses may face and how to prepare.
What are Cyber Essentials and Cyber Essential Plus?
CE and CE+ are UK government-backed certification schemes designed to help organisations protect themselves against common cyber threats. Earning these certifications demonstrate a company’s commitment to cybersecurity and provide assurance to clients, partners, and other stakeholders.
Cyber Essentials is the foundational certification level, focusing on the implementation of basic cybersecurity measures. It addresses five critical areas: firewalls, secure configuration, access control, malware protection, and patch management. These measures create a strong baseline for securing IT systems and data. Organisations seeking a CE certification complete a self-assessment questionnaire, which is reviewed by an accredited certification body to ensure compliance.
CE+ expands on the Cyber Essentials framework, providing a more comprehensive level of assurance. While it has the same five security controls, it requires an external audit by a qualified assessor. This audit consists of hands-on technical testing of a business’s systems, vulnerability scanning, and simulations of real-world cyber threats to ensure the effectiveness of the security measures in place.
What are the changes?
Several changes have been made to reflect advances in cybersecurity practices and to clarify existing standards. Key updates include supporting passwordless authentication, emphasising secure alternatives such as biometrics and security keys, and using more modern terminology, such as ‘extensions’ instead of ‘plugins’ and ‘home and remote working’ instead of ‘home working’ to cover a variety of environments such as cafés or hotels.
However, the most significant change in cyber security terminology will be the replacement of ‘patches and updates’ with ‘vulnerability fixes’ to better captures the range of tools and techniques required to close security gaps effectively. This includes running scripts, configuration changes, and other vendor approved methods.
Due to the broader scope of this term, assessors will have stricter requirements for Cyber Essentials Plus to ensure a more thorough examination, such as:
- Scope verification: Assessors must ensure that the systems and networks assessed fully align with the CE self-assessment, leaving no areas unchecked.
- Subset segregation: If only a part of the network is certified, assessors must verify that it is securely isolated from the rest of the organisation.
- Sampling checks: Assessors will use standardised methods to ensure that device samples accurately reflect the organisation’s overall setup.
How these changes could impact your business
To comply with new criteria updates, businesses must take a proactive approach by tracking and applying vulnerability fixes, rather than relying solely on automatic updates. This requires both careful monitoring and technical understanding.
If you’re renewing your CE and CE+ certifications in 2025 the changes will impact you. The scope and criteria are being strengthened to reflect advances in cybersecurity practices and the assessment will be broader in scope and stricter.
If you have registered with IASME and started your certification prior to 28th April, you will be assessed on the existing scope and you will need to complete your certification within 6 months of this date or you will be moved to the new scope.
This newer and larger scope may present challenges, particularly for small and micro-organisations. Here’s why:
Lack of internal awareness
Small businesses often rely on automated software updates, believing that these updates will keep their systems secure. While automatic updates are an important first line of defence, they don’t always address every potential issue.
For example, some critical vulnerability fixes may require additional actions, such as adjusting system settings or implementing specific configuration changes to fully resolve the risk.
These steps require technical expertise to execute correctly. Without a dedicated IT team or specialist support, these extra precautions may be overlooked, misunderstood, or incorrectly implemented, leaving the organisation vulnerable to risks despite their best efforts to stay updated.
Small businesses often have limited resources
Larger organisations typically have dedicated IT teams or sophisticated tools in place to detect and address network vulnerabilities. These teams often use vulnerability scanners, patch management systems, and robust monitoring tools to ensure that all devices, such as servers, workstations, and endpoints, are regularly checked and updated.
Small businesses, on the other hand, often have limited resources and may lack the specialised expertise or tools needed to effectively track and secure their systems. They may rely on basic update notifications or ad hoc measures, which can leave gaps in security coverage.
Without a structured process or dedicated personnel to ensure that every device and application is patched and configured correctly, these businesses are more likely to have vulnerabilities go undetected and exploited.
Insufficient vendor communication
Fixing software vulnerabilities isn’t always as simple as clicking the ‘update now’ button and letting the process run itself. While some updates can be installed automatically, others may require additional steps that require technical knowledge. Vendors often release technical instructions with their updates, outlining specific actions that users or administrators must take.
These requirements can be very difficult for small businesses to meet as they may not have the in-house IT expertise required to properly understand or execute these instructions. Even receiving these critical updates can be difficult if communication channels with vendors are insufficient, or if businesses are unaware of the technical bulletins that vendors publish.
Small businesses that lack a clear understanding of what needs to be done may inadvertently leave vulnerabilities unaddressed, even after attempting to apply updates.
Diversity of devices
Many small businesses rely on a variety of devices, such as laptops, desktops, tablets, and mobile phones, to run their daily operations. This variety often includes a mix of operating systems, software versions, and hardware capabilities, making it difficult to manage security updates and patches. Additionally, some devices may be running outdated software that is no longer supported by the manufacturer, leaving them vulnerable to security breaches.
Keeping all devices in a network up to date requires not only knowledge of the most recent patches and fixes, but also the ability to deploy them correctly across multiple platforms. This process becomes even more complex if employees use personal devices for work, a practice known as Bring Your Own Device (BYOD), which complicates endpoint tracking and security.
Without specialised knowledge, dedicated IT support, or the right tools, such as endpoint management solutions, small businesses may struggle to identify which devices require updates or ensure fixes are properly implemented.
What can small businesses do to prepare?
Small businesses have several options for protecting themselves from cyber criminals and meeting CE and CE+ requirements, including:
Investing in vulnerability scanning tools
Investing in vulnerability scanning tools is an important step for organisations looking to improve their cybersecurity posture. These tools work by systematically scanning networks, systems, and applications for potential weaknesses or vulnerabilities that cybercriminals could exploit. They provide detailed reports that highlight areas of concern, such as out-of-date software, misconfigured systems, or vulnerable ports.
In addition to identifying vulnerabilities, many modern scanning tools provide actionable insights and recommendations for resolving these issues. For example, they may recommend specific patches to install, configuration changes to make, or additional security controls to implement. Some tools even integrate with existing IT systems, automating the process of patching and monitoring for recurring problems.
By using vulnerability scanning tools regularly, organisations can proactively detect and address security gaps before they are exploited. For small businesses with limited resources, these tools can serve as an affordable and efficient way to maintain a secure IT environment.
Staying informed on the latest software updates
Maintaining a secure IT environment requires staying up to date on the latest software updates and security fixes. Regularly visiting vendor websites or subscribing to their update notifications keeps you informed of newly released patches, updates, and vulnerability advisories.
Many software vendors provide dedicated security bulletins, email alerts, and RSS feeds to keep users up to date on updates and critical fixes. Vendors of widely used operating systems and applications may also provide detailed guidance on how to effectively implement fixes, including testing and deployment steps.
This proactive approach enables organisations to address potential security flaws as soon as they are identified.
Working with trusted IT partners
Working with trusted IT partners can be a game-changer for organisations, particularly small businesses that may lack the resources or expertise to manage their own cybersecurity.
Outsourcing IT support ensures that a dedicated team monitors your systems, identifies potential vulnerabilities, and implements necessary fixes, allowing you to focus on your core business operations without concern for cyber threats.
A reputable IT partner, such as ourselves, brings a wealth of knowledge and experience to the table, often providing more advanced and proactive cybersecurity measures than an in-house team with limited resources. Whether it’s patch management, vulnerability scanning, or network monitoring, an IT partner can help detect and resolve issues before they become major problems.
How Net-Defence can help
Are you aware of the vulnerabilities in your devices and networks? If not, we’re here to help.
At Net-Defence, we specialise in custom IT security solutions that assist businesses in identifying, addressing, and mitigating vulnerabilities across their entire network.
With our expert assistance and advanced vulnerability scanning tools, we ensure that all devices, from laptops to mobile phones, are secure and up to date with the latest Cyber Essential and Cyber Essential plus requirements.
As an IASME certifying body, we can also manage your certification process for both Cyber Essentials and Cyber Essentials Plus end-to-end and in-house, helping to simplify the accreditation process for businesses.
Contact us today to discuss how we can help you strengthen your cybersecurity posture and achieve peace of mind.