Why You Need To Know About the Recent Cyber Essentials Certification Changes


Why You Need To Know About the Recent Cyber Essentials Certification Changes

As part of Data Privacy Week, in this blog post we update you on the new Cyber Essentials Certification framework and what you need to be aware of. We’ll take you through what’s changed and why it’s important to understand the new requirements.

If your business is already Cyber Essentials certified, you’ll be familiar with what the certification represents and how the government-backed cyber security framework can protect your business against a whole range of the most common cyber attacks. You’ll also be confident in your current security levels, which you know your customers appreciate and often look for.

If Cyber Essentials is unfamiliar to you, we detail the certification and protection it offers here, and provide you with additional knowledge on some of the new stipulations.

With the new criteria, representing the most significant change to Cyber Essentials since its launch in 2014, we know you’ll be keen to get to grips with the new requirements that are being implemented.

As a UK business, we want you to feel reassured with the security measures you are taking, and using this framework is a great way to ensure that. We’ve listed the major revisions together with explanations and the steps you may need to take to keep your certification valid.


This is well overdue and reflects the way IT has moved to the cloud over the last 2-5 years. A lot of businesses store critical data in external cloud applications, and it’s often just protected with a password (sometimes very weak passwords!) Examples of said cloud services would be: Dropbox, Gmail, Xero Accounts, Quickbooks, Sage HR, Breathe HR, Salesforce, Docusign and Slack.

There’s a common saying in security “You can’t protect what you don’t know about” and it’s for this reason that CE want you to review and list all your cloud applications and services. Once you have everything listed, you can start assessing security controls against them, for example:

  • Do you regularly review all active accounts to ensure they are all required?
  • Is multi-factor authentication (MFA) enabled for all users and administrators? If not, this is now going to be a compulsory element of CE to make sure your business keeps as safe as possible.


Simply having a password doesn’t make an account secure, and accounts should have MFA enabled to protect them properly. This is reflected in Cyber Essentials with cloud services requiring MFA. If an account cannot use MFA, then it will require a minimum length of 12 characters or automatic blocking of commonly used (weak) passwords. Password should not have a maximum length set. You now also must explain the steps you have taken to manage the quality of passwords in the business. In the past a good password policy was enough, but CE now want to see user training and education on using unique, strong passwords.


Devices must still be receiving security updates from their respective manufacturer. On PC’s & laptops this is in the form of BIOS / Firmware updates that are stored on a small chip inside the computer. This could mean that older equipment is no longer compliant and will need to be replaced.


There have been a few changes to the questions surrounding home working. These now better reflect the real-world home working scenarios that businesses use. Routers provided by an internet service provider (ISP) are now deemed secure enough by default and are out of scope.


If you have thin clients (a computer that runs from resources stored on a central server instead of a localised hard drive) on your network, these are now in scope and are subject to the same scrutiny as PCs and Laptops e.g.

  • Are they running a supported operating system?
  • Are critical security updates installed within 14 days?
  • Have any default passwords on the device been changed?

We hope you have found the list helpful, and it gives you an idea of what you should be working towards. We’ve helped many clients with the Cyber Essentials certification process and will continue to support them in navigating the new requirements. We’d also be delighted to work with businesses that want to achieve the certification for the first time or need our assistance now, even if we didn’t assist with the original application. We are here to help your business stay protected.

If you’re struggling to understand terms like ‘Thin Client’, ‘Routers’, and ‘Firmware’ and you’re not sure what these requirements mean for your organisation, you don’t need to worry. Being IT experts, we understand all the technical terms and operate to ensure businesses like yours are safe and have reliable IT systems.

Now you’ve reached the end of the article; it’s worth considering these action steps:

★    Have a read through the main compliance points and see if your business would meet these currently.

★    If you’re not sure what’s required to ensure you’re adhering to the new framework, please reach out to us, and we can advise you accordingly.

★    If you haven’t already applied for Cyber Essentials, now’s a great time. Get in touch so we can take you through the process.

We’re ready to take your call on 01772 684282, or you can email us:

With our help, you can be safe in the knowledge that you’re adhering to all the new benchmarks and are helping to protect your organisation against the most common cyber-attacks.

IT Support Services Lancashire

Make an enquiry today

Just drop us a line below.

    Unit 6 The Crossroads
    Freckleton Street
    Kirkham, Preston
    PR4 2SH
    Opening Times:
    Monday-Friday; 9.00am - 5.00pm