Cyber Essentials UK: A 2025 Guide

Cyber Essentials certification gives you a solid foundation to keep cyber threats in check before they turn into full-blown incidents. With the 2025 updates rolling out, now’s the perfect time to review your security controls, fine-tune authentication, and adapt to evolving vulnerability management requirements. If your business works with UK government contracts or handles sensitive data, these changes aren’t just helpful, they’re essential.  

The good news? Staying compliant doesn’t have to be complicated. Let’s walk through what’s new, what it means for your security strategy, and the simple steps you can take to stay on track.

What is the Cyber Essentials Scheme?

Cyber Essentials is a government-baked certification scheme that provides a security foundation for UK businesses, ensuring they meet a minimum cybersecurity standard. There are two levels:

• Cyber Essentials: A self-assessment covering five core security controls.
• Cyber Essentials Plus: Requires a hands-on audit by an external assessor to verify your security implementation.

If you’re handling government contracts, certification is non-negotiable. For everyone else, it’s a way to prove your security maturity without resorting to ISO 27001-level bureaucracy.

Why Bother With Cyber Essentials Certification?

Beyond ticking a compliance box, it strengthens your security framework in practical ways. By implementing the five security controls, you shrink your attack surface and address actual cyber risks that businesses face daily before they become costly incidents. It also improves business continuity by reducing ransomware risks and reinforcing essential security practices. And let’s not forget trust—many organizations, especially those handling sensitive data, won’t even consider working with vendors who lack certification. For your IT team, it’s also a golden opportunity to push through much-needed security measures without resistance from leadership.

Breaking Down the Five Key Controls

The five Cyber Essentials security controls remain unchanged in the 2025 update. They are:

1. Firewalls and routers: Network segmentation and boundary defenses.
2. Secure Configuration: Hardening endpoints and disabling unnecessary services.
3. User Access Control: Restricting admin privileges and enforcing least privilege principles.
4. Malware Protection: Implementing endpoint security beyond basic AV.
5. Security Updates: Patching known vulnerabilities before attackers exploit them.

You probably have most of these covered, but the 2025 updates add more stringent requirements.

Changes to Cyber Essentials Requirements in 2025

Revised Question Set (Version 3.2)

The April 2025 update introduces a new question set, replacing the previous “Montpellier” version. Expect more detailed inquiries into MFA enforcement, privileged access management, and cloud security policies.

Passwordless Authentication

The biggest shift? Passwordless authentication is now encouraged. The new standard recognizes the weaknesses of traditional passwords and pushes alternatives like:

• Biometric authentication (Windows Hello, Apple Face ID)
• Hardware security keys (YubiKeys, FIDO2-compliant tokens)
• Passkeys and certificate-based authentication

If your authentication strategy still revolves around password complexity rules, it’s time to update your approach.

Mandatory Patching for High-Risk Vulnerabilities

Organizations must now remediate vulnerabilities scoring CVSS 7.0 or higher within 14 days. No more “we’ll patch it next quarter,” mentality—if you’re exposed, you need a documented plan to mitigate it immediately.

For system administrators that means vulnerability scanning isn’t optional anymore and patch management should be automated. A formal exception process is required for delayed patches. Failing to address high-severity CVEs (Common Vulnerabilities and Exposures) could now jeopardize your certification.

Stricter Technical Testing

Cyber Essentials Plus now includes:

• Cloud security assessments (Azure, AWS, Google Workspace).
• Enhanced endpoint protection testing beyond basic malware defenses.
• Network segmentation verification for organizations with hybrid infrastructures.

For system admins, this means ensuring all endpoints, including BYOD and cloud instances, meet compliance requirements.

Preparing for Cyber Essentials Certification

The Cyber Essentials Checklist

To pass the Cyber Essentials assessment, ensure:

• All software is vendor-supported and patched.
• Default credentials are removed or changed on all devices.
• MFA is enabled for all remote access (not just VPNs).
• Admin accounts are strictly controlled and monitored.
• Untrusted devices are blocked from connecting to your network.

Cyber Essentials Plus: What’s Different?

Cyber Essentials Plus takes certification a step further by going beyond self-assessment and putting your security measures to the test. It requires live penetration testing to validate your controls to ensure they hold up against real-world attack scenarios. 

Endpoint security verification is no longer just a checklist. It involves a direct assessment to confirm that devices are properly secured. Network scanning is also a key requirement, identifying any unpatched vulnerabilities that could be exploited. Unlike the basic certification, this is a hands-on audit, so be ready to provide technical proof that your configurations are as secure as you claim.

Get Ready for Cyber Essentials v3.2 with Lansweeper

If you haven’t revisited your Cyber Essentials strategy, now’s the time to act. Start patching, rethink your authentication methods, and prepare for a more rigorous 2025 assessment.

Want to get ahead of the game? Lansweeper’s asset discovery tool helps you secure every end point, scan for CVEs, and test passwordless authentication today. Request a free demo and ensure your business is ready for the upcoming changes. Your certification depends on it!

Lansweeper Demo

See Lansweeper in Action – Watch Our Demo Video

Sit back and dive into the Lansweeper interface & core capabilities to learn how Lansweeper can help your team thrive.

WATCH DEMO