The Upcoming Changes to the Cyber Essentials Scheme

Cyber essentials

The Government-approved Cyber Essentials scheme includes five technical controls that help protect organisations from the majority of cyber-attacks. A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape. 

The scheme was introduced by the UK Government in 2014 as a way to help make the UK the safest place to do business. As the threat landscape is ever-evolving, on January 24th 2022, some of the technical control requirements will change in line with recommended security updates. This allows UK businesses to continue raising the bar for their cyber security. Read on to discover the changes to the scheme that businesses need to prepare themselves for. 

What are the changes to the scheme? 

1) Home working devices are in scope, whereas most home routers aren’t

Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational information, whether they are owned by the organisation or the user, are in scope for Cyber Essentials. 

Home routers that are provided by Internet Service Providers or by the home worker are now out of scope and the Cyber Essentials firewall controls will be transferred to the home worker’s device (computer, laptop, tablet and/or phone). However, a router supplied by the applicant company is in scope and must have the Cyber Essentials controls applied to it. 


2) All cloud services are in scope

Cloud services are to be fully integrated into the scheme. If an organisation’s data or services are hosted on cloud services, then the organisation is responsible for ensuring that all the Cyber Essentials controls are implemented. Definitions of cloud services have been added for Infrastructure as a Service, Platform as a Service and Software as a Service. Whether the cloud service provider or the user implements the control, depends on the type of cloud service. 


3) Thin clients are in scope when connecting to organisational information or services 

A thin client is a ‘dumb terminal’ that gives you access to a remote desktop. It doesn’t hold much data, but it can connect to the internet. 

work from home

4) All servers including virtual servers on a sub-set* or a whole organisation assessment are in scope

Servers are specific devices that provide organisational data or services to other devices as part of the business of the applicant. 

* A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials. 


5) All smart phones and tablets connecting to organisational data and services are confirmed in scope when connecting to corporate network or mobile internet such as 4G and 5G

However, mobile or remote devices used only for voice calls, text messages or multi-factor authentication applications are out of scope. 


6) Device locking

Biometrics or a minimum password or pin length of 6 characters must be used to unlock a device. 


7) Password-based and multi-factor authentication requirements

When using passwords, one of the following protections should be used to protect against brute-force password guessing: 

  • Using multi-factor authentication 
  • Throttling the rate of unsuccessful or guessed attempts. 
  • Locking accounts after no more than 10 unsuccessful attempts. 


8Account separation

Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).


9) The scope of an organisation must include end-user devices 

If an organisation certifies their server systems only, they ignore the threats that come from their administrators who administered those server systems. The change to this requirement closes the loophole where organisations were able to certify their company without including any end user devices. Cyber Essentials must now include end point devices. 


10) All high and critical updates must be applied within 14 days and remove unsupported software 

All software on in scope devices must be: 

  • Licensed and supported 
  • Removed from devices when it becomes un-supported or removed from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet. 
  • Have automatic updates enabled where possible 
  • Updated, including applying any manual configuration changes required to make the update effective, within 14 days of an update being released, where: 

– The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ 

– The update addresses vulnerabilities with a CVSS v3 score of 7 or above 

– There are no details of the level of vulnerabilities the update fixes provide by the vendor 


11) Guidance on data backup

Backing up your data is not a technical requirement of Cyber Essentials, however there is now guidance on backing up important data, and implementing an appropriate backup solution is highly recommended. 

 Data backup


12) Two additional tests have been added to the Cyber Essentials Plus audit

These tests have been added to the Cyber Essentials Plus audit: 

  • A test to confirm account separation between user and administration accounts 
  • A test to confirm MFA is required for access to cloud services. 

How will the changes work?

There will be a grace period of one year to allow organisations to make the changes for the following requirements: 


    The requirement will apply for administrator accounts from January 2022

    The MFA for users requirement will be marked for compliance from January 2023 


    Thin Clients need to be supported and receiving security updates, the requirement will be marked for compliance from January 2023

    The new question will be for information only for the first 12 months. 


    Unsupported software removed from scope will be marked for compliance from January 2023

    The new question will be for information only for the first 12 months. 


If your organisation registers and pays for Cyber Essentials certification before 24th January 2022, you will be assessed on the old Cyber Essentials question set and have up to six months to complete your self-assessment. Please be aware that the Cyber Essentials Readiness Tool will be updated with the new requirements for the 5 technical controls on 24th January 2022. If you would like to use the tool for guidance on the old question set, please access the guidance before 24th January 2022. 

If you have any questions, need additional guidance, or are looking to improve your business security with our comprehensive cybersecurity solutions, get in touch with one of our Cyber Essentials experts.  


Contact us