On 24 January 2022, changes to the Cyber Essentials scheme from the National Cyber Security Centre (NCSC) and IASME will be officially released. Here, we explain what Cyber Essentials is, what the changes are, what they will mean to businesses and how you can use them to improve your cyber security defences.

Cyber Essentials

If you are not yet Cyber Essentials certified you might want to consider our Cyber Essentials Readiness survey – and in particular our FREE survey offer for December 2021 – find out more at the end.

Why are they changing parts of the Cyber Essentials scheme?

Since the introduction of the UK Government-backed Cyber Essentials scheme in 2014, forward-thinking businesses have used it mainly for two reasons:

1. As a yardstick to tighten up their cyber security and reduce the chance of an attack.
2. To demonstrate to their clients that they care about – and will look after – their data.

The scheme has not changed significantly since its launch, but the way we use our technology has transformed dramatically. The last 18 months especially, with the COVID-19 pandemic, has seen a huge shift towards the use of more cloud technology and hybrid working (home and office).

So now the Cyber Essentials scheme is being updated so you can raise the bar on your cybersecurity and be cyber safer.

What are the changes to the scheme?

Here are some of the changes but there are more (you can join our online webinar on 20 January to find out details and ask questions). Note that ‘scope’ below refers to whether items are – or are not – included for certification.

Home working

Anyone who works from home for any amount of time is now classified as a home worker. As such their devices need home worker controls. However personal home routers provided by home broadband providers are now out of scope.

Our opinion: Generally speaking for most businesses these changes should remove a major barrier to becoming certified.

Cloud IT

Any cloud services on which the applicant keeps any data are now in scope. In addition to obvious applications such as accounting software, this could include ‘portals’ or even your company website.
Cloud servers (such as servers in Microsoft Azure) and ‘Platform As A Service’ such as hosted databases are also in scope.

For all cloud services, MultiFactor Authentication (MFA) and password policies must be in place. For 2022 this is for admin accounts only, expanding to all accounts in 2023. For some controls on cloud applications, these may be the responsibility of the cloud provider – in which case the applicant’s duty is to check with the provider if they are in place.

Our opinion: These changes are very necessary but will mean a significant additional burden on applicants during the certification process. Having an accurate, up-to-date, audit of all your cloud applications will help with this process. It is possible to technically audit cloud applications in use and this is recommended for larger organisations.


Thin clients (sometimes called dumb terminals) are not in scope. But any devices accessing remote desktop, Citrix, virtual desktops or similar are in scope now.

Any smartphones or tablets connecting to organisational data, whether via a cloud service, web portal or otherwise are now in scope. It can only be considered out of scope if used for phone calls only.

Device passcodes (such as for smartphones or tablets) can now be 6 digits.

Our opinion: These changes mostly clear up ambiguity but will require configuration and management changes for companies using thin clients with a ‘device lockdown’ on them. The 6-digit pin code will be good news for people using older smartphones and tablets without any biometrics on them.

Cyber Essentials changes webinar

Passwords and MultiFactor Authentication

When using a password to access any system in scope, one of the following will be required:

  • Use of MultiFactor Authentication.
  • Technical controls to limit the number of guessed attempts.
  • Account lock after a maximum of 10 failed attempts.

In addition, at least one of the following technical controls to manage password quality should be in place:

  • Using MultiFactor Authentication in conjunction with a password of at least 8 characters.
  • A minimum password length of at least 12 characters.
  • A minimum password length of at least 8 characters and automatic blocking of common passwords.

Guidance must be provided on how staff can create unique passwords for all accounts.

Our opinion: These controls are long overdue and most organisations who have a proactive approach to security should already have them in place. However, ensuring staff have unique passwords is tricky and best done with the use of a password manager. For more details about this, see our blog.

Cyber Essentials Readiness survey

Finally, if you are not yet Cyber Essentials certified, we can help you check whether you are ready for it. By answering a few questions we will help you create a personal action plan to move towards meeting the Cyber Essentials requirements.

So take advantage of our Cyber Essentials Readiness survey below – and in particular our FREE survey offer for December 2021!

(*This offer is suitable for businesses with 20-150 staff only.).