Cyber Essentials: What Enterprises Need to do for Compliance

The UK’s Cyber Essentials scheme, rolling out this week, is the latest edition of the guidelines that sets the baseline for the nation’s cyber resilience. 

Developed with the National Cyber Security Centre and delivered by the IASME Consortium, the guidelines follow the major cyber developments, with the framework is reviewed each year using audit data, breach analysis and assessor feedback. 

This year, the five core controls in the scheme remain unchanged, with the latest revisions focusing on improving clarity, consistency and assurance. 

For organisations preparing to receive the Cyber Essentials certification or renewal, the emphasis is now firmly on accurate implementation and verifiable outcomes rather than interpretation.

“The biggest benefit of adopting Cyber Essentials is building resilience against attacks that exploit weak or missing protections,” says Kirsty Paine, Field CTO and Strategic Advisor at Splunk. 

“Many cyber incidents happen because organisations haven’t put simple safeguards in place.

“Cyber Essentials helps reduce that risk and gives organisations confidence that the most common attack paths are covered. It also helps build trust with partners and customers, particularly as more organisations expect suppliers to demonstrate good security practices.”

Stricter marking criteria 

One of the most significant changes is the introduction of tighter marking rules for critical security practices. 

Controls such as multi factor authentication (MFA) and patch management are now subject to automatic failure if not fully implemented. 

MFA is also now mandatory across all cloud services where it is available, regardless of cost or deployment model. 

As attack timelines collapse, organisations must ensure that high risk and critical vulnerabilities affecting operating systems, applications and network devices are addressed within 14 days of release. 

Failure to meet these timelines will result in certification failure, regardless of performance elsewhere.

Greater transparency and tighter scope definition

IASME has also introduced several changes to improve how organisations define and present their certification scope. 

Businesses can now provide more detailed scope descriptions through a digital certificate platform, offering greater transparency to customers and partners.

Organisations are also required to document any excluded parts of their infrastructure and identify all legal entities included within the assessment. 

This reduces ambiguity, particularly for larger or more complex environments.

In addition, Cyber Essentials formally defines certification as a point-in-time assessment based on the date of issue. 

However, updated declarations now require senior leadership to confirm that controls will be maintained throughout the certification period, reinforcing ongoing accountability.

Cyber Essentials Plus: closing gaps in real-world enforcement

Updates to Cyber Essentials Plus place stronger emphasis on consistent control enforcement across entire environments.

Assessors will now take a broader approach to testing, particularly in areas such as patching.

If issues are identified during sampling, organisations must demonstrate remediation across their full scope, not just the systems initially tested. 

There are also stricter rules around the integrity of the assessment process. Organisations must complete and finalise their self-assessment before technical testing begins, with no opportunity to revise responses based on audit findings.

Are passkeys the future?

Niall McConachie, Regional Director of UK & Ireland at Yubico, comments on why these updates are being brought in and what firms must do to ensure they’re compliant.

“Research from Yubico reveals that while 70% of employees believe AI has made phishing more successful, an eye-opening 62 percent of organisations still rely primarily on username and password credentials,” says Niall.

“The use of this outdated authentication method persists despite its well-known vulnerabilities, which have become even more apparent in the age of AI.  

“Because these automated tools target all employees and businesses, every unsecured entry point becomes a target. 

“By failing to implement MFA, organisations are leaving the front door wide open for cyber criminals. Nevertheless, while any form of MFA is better than a password, not all forms of MFA are created equal. Legacy MFA approaches, such as SMS-based one-time passcodes and mobile authenticator apps, are broken, with malicious actors repeatedly proving that these are easily bypassed via phishing attacks.

“The NCSC has used this update as an opportunity to name passkeys as the preferred authentication approach moving forwards. For businesses to ensure they are prepared for this, they should deploy hardware-backed passkeys, like security keys, across their infrastructure.”

Together, these changes signal a clear direction. Cyber Essentials is moving beyond baseline compliance towards measurable, organisation-wide security, where visibility, consistency and accountability define success.