As the way we work has drastically changed for many over the last two years, the NCSC (National Cyber Security Centre) has announced that the largest update to Cyber Essentials since its release in 2014 will be released in January 2022. This new update comes with an extensive set of new requirements which includes revisions on: Cloud Services, Multi-Factor Authentication, Working from Home, Password Management, Security Updates and more. This is in response to the quickly evolving set of cyber security challenges businesses now face.

But what is Cyber Essentials? Cyber Essentials is a simple but effective government backed scheme launched on the 5th of June 2014. Working with the IASME (Information Assurance for Small and Medium Enterprises) and the ISF (Information Security Forum) the government created a basic set of basic technical controls to help organisations protect against common online security threats. These updates will help the up keep of basic cyber hygiene for many organisations, whilst providing reassurance to managers, staff and clients.

With the COVID-19 pandemic only accelerating the change in how we work and the digital transformation and adoption of cloud services, it calls for a refresh of Cyber Essentials. This will reflect the changes in routines also meaning a more regular review.

The new technical requirements for Cyber Essentials will be released on the 24th of January 2022 and business will have 6 months to comply to the new standard form this date. However, it is recognised that some organisations may need to make extra efforts when being assessed against the new standards, therefore there will be a grace period of up to 12 months for some of the requirements.

The new requirements can be found on the NCSC website, click here for the new IT Infrastructure requirements.


What if I begin the Cyber Essentials assessment before the 24th of January?

If you begin your assessment before the 24th of January you will be certified on the current technical standard. following this you will then have 6 months from the 24th to complete the new standard.

What if I am currently in the process of completing the assessment, will the questions change?

No, the questions will not change if you have started the assessment before the 24th of January, but you will need to complete the new assessment within 6 months.

Am I able to choose the questions or set of requirements I will answer?

No, assessments that begin before the 24th of January will be on the current set of requirements. Beginning the assessment on or after this date will be on the new set of requirements.

What if I gain the Cyber Essentials certification before the 24th of January, on the current set of requirements but need to gain Cyber Essentials Plus after this date?

In this instance Cyber Essentials Plus will also be on the same set of requirements as Cyber Essentials despite beginning after the 24th of January. However, it much be completed within 3 months of the Cyber Essentials assessment.

Are there any exceptions where the current requirements will still apply beyond the date of the 24th July 2022?

Yes, if you complete the Cyber Essentials Plus assessment is carried within 3 months of the Cyber Essentials assessment (which began before the 24th of January) it means that the assessment can be completed after the expiry date of 24th of July 2022.

How long are the certificates valid for?

All new certificates issues by the IASME will have a 12-month expiry date.