Cyber Essentials Is Changing in April 2025 — Here’s What You Need to Know (Before It Bites You)

Written By Noel Bradford
Illustration showing Cyber Essentials 2025 changes, with a secure modern office setup on one side and a chaotic remote working environment on the other, highlighting firewall rules, passwordless login, and compliance checklists.

You know how Cyber Essentials likes to keep us all on our toes? Well, it is back at it again. From 28th April 2025, IASME will officially roll out “Willow”, the next version of the Cyber Essentials self-assessment question set. If you thought you could copy-paste your answers from last year’s application, you might want to rethink that plan.

This time, the changes are not just minor tweaks. Some of them will force you to actually think about security rather than just ticking boxes. Let’s break down what is new, what is stricter, and where you will need to up your game.

Passwords? Who Needs Them?

For years, Cyber Essentials has banged on about strong passwords and multi-factor authentication. Now, the new Willow set says you can go passwordless if you want. Biometrics, hardware keys, magic spells – as long as they meet proper security standards, they are fair game.

But, and it is a big but, if you fall back to good old passwords at any point (like during account recovery), you still need to lock those down with brute force protections like lockouts and throttling. So no, you cannot just set the backup password to password123 and hope no one notices.

Your Users Should Not Be Admins – Obvious, Right?

Apparently not obvious enough. The new question set forces you to explicitly state that you apply the principle of least privilege. If Dave in marketing has admin rights because he asked nicely in 2019, you are going to have a problem.

This has always been best practice, but now it is written into the assessment. Everyone should only have access to what they actually need. If you let anyone and everyone have full access to everything, expect to fail.

Home Working is so 2021 – Now It’s Remote Working

The old question set asked about home workers. The new one asks about home and remote workers, because let’s be honest, people work from anywhere these days – their kitchen table, a café with dodgy WiFi, or a beach in Tenerife.

IASME wants you to count how many of your users work remotely and confirm that their devices still meet Cyber Essentials requirements. That includes proper firewalls and security updates, even if they are connecting from a caravan in Cornwall.

And if they use their own devices (BYOD) for work, those are now firmly in scope. So if your staff are using personal laptops to check emails, congratulations – you have just inherited responsibility for those machines too.

Firewalls – Now with Added Admin Work

Firewalls have always been required, but now you have to list every single one of them. Got a home worker with a router they found in a skip? List it. Got a firewall in the office that has not had its rules reviewed since the last ice age? Sort it out.

IASME wants you to document your firewalls and confirm you regularly review the rules. This is not optional housekeeping anymore – it is compliance.

Patching? It’s Not Just for Software Anymore

Here’s where things get spicy. In the new world of Cyber Essentials, a vulnerability fix is not just a patch. It could be a configuration tweak, a registry change, a script – basically, whatever the vendor says will fix the problem.

This matters because if you used to dodge patching by saying “there’s no patch available”, you are out of luck. If the vendor says “change this obscure setting”, you now have to do it within 14 days – just like you would with a critical patch.

This also means you need to keep up with security bulletins and actually read them. Fun times ahead for whoever gets stuck with that job.

Browser Extensions – Surprise! They Are In Scope Now

Software has always been in scope for Cyber Essentials. But now, IASME has clarified that browser extensions are officially software. So, all those handy Chrome add-ons your team loves? They are now your problem.

That means you need to keep them up to date and make sure they are not riddled with security holes. If you have got random extensions installed that no one even remembers adding, clear them out now.

What Does This All Mean for You?

In short, Cyber Essentials is not just about paperwork anymore. It is about actually doing security properly – keeping your users under control, patching everything (even config), and treating remote workers’ devices as if they are office kit.

If you want to stay compliant (and keep that Cyber Essentials badge on your website), you need to tighten up your processes now – not the day before you apply.

The Checklist You Need

✅ Review how you manage remote and home workers’ devices
✅ Update your asset list to cover all firewalls, routers, and BYOD kit
✅ Document how you enforce least privilege (yes, you need a policy)
✅ Track security bulletins, not just patches
✅ Treat browser extensions like real software – update or remove them
✅ Consider moving to passwordless login if you want to future-proof your setup

Do not leave this until the week before your renewal. If you are not sure where to start, Equate Group can walk you through it all – and we will even bring biscuits.

Sources

  1. IASME Consortium. Cyber Essentials Requirements for IT Infrastructure – Version 3.2 – Effective April 2025. Retrieved from: https://iasme.co.uk/cyber-essentials/

  2. NCSC. Cyber Essentials: Preparing for Assessment. Retrieved from: https://www.ncsc.gov.uk/cyberessentials/overview

  3. IASME Knowledge Hub. Cyber Essentials Technical Controls – Updated for 2025. Retrieved from: https://iasme.co.uk/knowledge-hub/

  4. NCSC. Bring Your Own Device (BYOD) Guidance. Retrieved from: https://www.ncsc.gov.uk/guidance/byod

  5. NCSC. Multi-Factor Authentication Guidance. Retrieved from: https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Google’s Latest Android Fuck-Up: How Your Lock Screen Became an Optional Suggestion
Next

Quantum Computing and the Future of Cyber Attacks: Preparing for the Next Digital Apocalypse