Updates to the Cyber Essentials Scheme: What You Need to Know

The Cyber Essentials Scheme has recently undergone revisions that encourage UK firms to improve their cybersecurity and safeguard businesses and customers.


Cybercriminals generally spend more time online these days, like the rest of the population. Because of this, it is more crucial than ever for businesses to make investments in enhancing their cybersecurity.


The Cyber Essentials Scheme, which was launched by the UK government in 2014, is one of the most crucial resources for companies looking to protect their operations from cybercriminals.


Businesses of all sizes should be aware that some of the crucial technical control criteria of this plan have changed this year.


We will go over these changes in depth and emphasise the actions you must take to preserve your compliance. In this article we’ll first examine the cyber essential plan, its purpose, the reasons for its upgrade in 2022, and why you should be concerned about the most recent alterations to the scheme.


What is the Cyber Essentials Scheme?


In order to assist businesses in enhancing their cyber security and make the UK one of the safest nations to conduct business, the UK Government created the Cyber Essentials Scheme, a certification, in 2014.


It offers advice to UK businesses on how to secure their IT operations and is run by the NCSC (National Cyber Security Centre).


The plan focuses on 5 technological measures to do this:

  1. Malware and virus protection
  2. Secure configurations
  3. Patch management processes
  4. Access control
  5. Internet gateways & firewalls


Why has Cyber Essentials been modified?


Since 2014, when the UK’s Cyber Essentials Scheme was originally announced, a lot has happened in the realm of cybersecurity. 8 years is a long time in technology after all. 


Cloud computing and the ethos of working from home have become standard.


The NCSC has chosen to make a few significant changes to the scheme in order to make sure that it is completely in line with how corporate operations have evolved.


What does an updated Cyber Essentials scheme mean for organisations?


Regardless of whether their organisation is presently Cyber Essentials certified or intends to obtain the certification in the near future, all organisations in the UK must pay close attention to the most recent updates to the scheme.


If you’re considering a merger or acquisition, conducting supply chain due diligence, or simply looking for trustworthy business partners, it’s equally important to be aware of these new changes.


It goes without saying that all UK-based businesses with large operations ought to renew their Cyber Essentials and Cyber Essential Plus certificates annually and be knowledgeable about the new measures to make sure the certification doesn’t lapse.


What changes have been made to update the Scheme?


Several aspects of a corporate network and cybersecurity have been included in the recent revisions to the cyber essential system, including:


Home office equipment


All home-based office equipment used by employees, including laptops, tablets, and cellphones, will now be covered by the Cyber Essentials Scheme’s security recommendations.


Therefore, if employers and employees are serious about preserving compliance, they must both make sure that the firewall settings on their home computing devices properly adhere to the recommendations presented in the Cyber Essentials Scheme.


Endpoint devices


Organisations applying for Cyber Essentials certification frequently only certified its server systems, bypassing the necessity to include end user devices in the security evaluation process.


In order to close any security gaps that hackers might exploit, the most recent modification to the Cyber Essentials scheme has made it mandatory to secure the security of endpoint devices.



Multi-factor authentication


Multi-factor authentication (MFA) implementation is now a crucial need for continuing to comply with the Cyber Essentials Scheme in 2022 and beyond.


Because Multi-factor authentication  adds an additional layer of security on top of password protection, it is highly challenging for hackers to access a user’s account and get access to the company network.


Software updates


The National Cybersecurity Centre has issued a security recommendation requiring IT administrators to apply recently announced high/critical risk software upgrades within 14 days of their release in an effort to lower the security risk for enterprises.


Additionally, they are accountable for making sure that:


  • All essential software installed on all devices within reach has automatic updates turned on.
  • Uninstalling installed software from devices that are no longer covered by the policy
  • Every piece of software running on the in-scope hardware has a complete licence and was bought there directly from the creator.


Separation of accounts


To prevent exposing the corporate network to vulnerabilities, employees should utilise distinct accounts for office work and refrain from using those accounts for routine user activity like browsing the web or monitoring social media.


They can significantly lower the danger of cybersecurity mishaps by keeping separate accounts and practising good online behaviour.




IT leaders should begin planning for the suggested adjustments as soon as they can, even though organisations will have a year to do so, in order to avoid losing their certification and, more significantly, to enhance their organisation’s cybersecurity.


For organisations who don’t have Cyber Essentials certification yet, there are only three easy actions required to become certified in the Cyber Essentials scheme. 


Buy the Cyber Essentials or Cyber Essentials Plus certification at the level you’ve chosen.


Fill out the Cyber Essentials self-assessment form, then upload it for BiP Solutions, the Certification Body to review.  If you would like help with attaining Cyber Essentials certification for your business then you can employ the help of an IT support consultancy. At EC-MSP, the aim is to help you protect your business against all security threats. We can also help you to achieve compliance in order to limit your risk of expensive penalties.


About EC-MSP, your IT support partner

EC-MSP are one of the most trusted IT support providers in London. If you would like more help advice and support with technology for your business, contact us today to see how we can help.