Back to Blog

The changes to Cyber Essentials and what they mean for businesses

Changes to Cyber Essentials Government scheme, affective 24th January 2022, how they will affect businesses and what they can do to prepare.

Ieuan Noble

Mar 10, 2022

Download our ebook


  • The question set ‘Evendine’ released 24th January 2022 heralded the largest changes to the scheme since its inception in 2014. Many organisations are unclear and concerned about the impact of these changes.

  • Changes to the boundary of scope have highlighted what the scheme aims to secure now that many companies and organisations have altered the way they work i.e. cloud-based or hybrid environments.

  • Our highly skilful cybersecurity team have outlined the 10 significant changes to the schemes scope and what can be done to prepare for the impacts of these altered criterion.

What is Cyber Essentials?

A government-backed scheme to increase the baseline security levels of companies and organisations with two levels Cyber Essentials Standard (CES) and Cyber Essentials Plus (CEP). The National Cyber Security Centre (NCSC) evaluate the needs and basic measures companies and organisations can take to improve security.

For more information on each of these elements please refer to the below links;

What has changed?

1. All cloud services are in scope

Any cloud services under configuration responsibility of the applicant upon which any organisational data or services are held or processed must be configured with all the Cyber Essential controls being met.


Create an inventory of the services utilised identifying the cloud service type and audit existing security measures and controls implemented so far. Who implements the controls will vary from service to service (IaaS, PaaS and SaaS).

The 5 key controls to consider

  1. Firewalls
  2. Secure Configuration
  3. User Access Controls
  4. Malware Protection
  5. Security Update Management

Flow's SaaS based managed service built on Palo Alto’s Prisma Cloud, for Cloud Security Posture Management (CSPM) is a cloud agnostic service that provides broad-based support for all contemporary cloud technologies. It enables organisations to manage their cloud debt by staying on top of misconfigurations, potential vulnerabilities, threats and compliance violations, all within a single integrated platform.

Understand the value of using a CSPM managed service - click here.


2. Home Workers

Any devices used by staff members while working from home to access organisational data now fall within the scope and must comply with requirements. Home (e.g. broadband) routers that are supplied by an Internet Service Provider (ISP) will not fall within the scope.


Ensure that all devices used to access company information have their software firewalls enabled and are generally compliant with Cyber Essentials and Cyber Essentials Plus requirements.


3. Multifactor authentication

Multifactor authentication must be used to provide additional protection to administrator accounts used to connect to cloud services like O365 with the password element meeting a certain criteria.

Additional factors that may be considered:

  • Managed/enterprise device
  • App on a trusted device
  • Physically separate token
  • Known or trusted account

This will eventually encompass all accounts, including standard users but this is not due to be a requirement until 2023. 


Enable MFA as an option wherever and whenever possible.


4. Password-Based Authentication Requirements

One of the following protections must now be used:

  • Using multi-factor authentication
  • Limiting the rate of unsuccessful or guessed attempts.
  • Locking accounts after no more than 10 unsuccessful attempts

Passwords must include one of the following:

  • Multi-factor authentication in conjunction with a password of at least 8 characters
  • A minimum password length of at least 12 characters
  • A minimum password length of at least 8 characters and automatic blocking of common passwords using a deny list

5. Thin Clients

For companies and organisations utilising a thin client estate/set-up to access servers facilitating virtual desktop environments. These have now clearly been brought into scope with explicit mentioning within assessor guidance.


Ensure these devices comply with all CE/CE+ controls. 


6. Account separation

Use separate accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).

This also extends to shared administrative accounts for support purposes the company providing 3rd party support needs to facilitate separate named accounts for any individual conducting work on an applicant company or organisation.


Admin accounts should be standalone and require a login to conduct an administrative task. Creating separate named admin accounts will be enough to meet this requirement.


7. Device Unlocking Requirements

Biometrics or a minimum password/pin length of 6 characters must be used to unlock a device where applicable.


Provide a added layer of security to implement biometric authentication i.e. fingerprint or face detection and pin/password of at least 6 characters. 


8. All “Critical” and “High” Vulnerabilities And Unsupported Applications

All security-related updates must be applied within a 14-day patch window. These are updates for “Critical” and “High” vulnerabilities in accordance with the CVSS v3 marking scheme. None may be present if there is a patch/mitigation available. 

Unsupported software removed from scope will be marked for compliance from January 2023. Its continued presence will result in an automatic failure.


  • Ensure all software is licensed and supported
  • Remove any unsupported software or remove the devices hosting them from scope by using a defined ‘sub-set’ that prevents all traffic to/from the internet.
  • Have automatic updates enabled where possible.
  • Apply updates, including any manual configuration changes required to make the update effective, within 14 days of an update being released, where;
    • The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’.
    • The update addresses vulnerabilities with a CVSS v3 score of 7 or above.
    • There are no details of the level of vulnerabilities the update fixes provided by the vendor.

9. All servers are now in scope

All server types, including virtual servers on a “sub-set” of an assessment where the scope has been defined as “whole organisation”, are now in scope. This means that for any company carrying out CEP these devices will also be subject to testing.


Ensure these devices comply with all CE/CE+ controls.


10. Changes to the self-assessment

There have been some changes to ensure devices within scope are supported by their respective vendors. This requires more evidence than previously to be provided by the applicant.


Collect the make model and software version details for all mobile, workstation and server devices in advance of starting to fill out the CE questionnaire. The burden of evidence on the applicant side has impacted on the time it takes to mark self-assessments from approx. a hour to a day or more. Ensure you leave adequate time from initial submission for marking before any deadlines.



NCSC - read more

IASME - read more

Latest Articles

Reflecting on 2022 and looking forward to 2023

Reflecting on 2022 and looking forward to 2023

Thought leader Etienne Greeff shares his views on how 2022 shaped the cyber landscape, his predictions for 2023, what we should expect & ho...

MYTH 2: Unpatched systems exposing known vulnerabilities will welcome attacks

MYTH 2: Unpatched systems exposing known vulnerabilities will welcome attacks

One example of a cybersecurity fallacy is the claim that unpatched systems exposing known vulnerabilities will welcome attacks.

MYTH 1: The rise in remote working and the increased risk to remote end points

MYTH 1: The rise in remote working and the increased risk to remote end points

The rise in remote working has significantly increased the risk of attacks on remote end points. This is a misconception.