What’s New in Cyber Essentials

The Cyber Essentials certification has been updated on the 24th January 2022.  If your organisation is certified under this scheme, it shows that you have good cyber practice in place under the following 5 technical control areas:


  • Firewalls – your connection to the internet.
  • Secure configuration – all your devices are set up correctly.
  • User access control – ensure access is given only to those that need it.
  • Malware protection – essential protection against the bad actors that are out there.
  • Security update management – ensuring all your operating systems and applications are up to date.


The Cyber Essentials Certification questions have been updated to include the following new areas:


  • Added a home working requirement which covers any device which accesses any business data.
  • All cloud services are now in scope – this includes Infrastructure as a Service (IaaS), Platforms as a Service (PaaS) and Software as a Service (SaaS). This covers how these services meet the requirements of the 5 technical control areas outlined above.
  • Extended the multi-factor authentication requirement in relation to cloud services.
  • Updated the password-based authentication requirement and added a new section on multi-factor authentication.
  • Thin clients are now in scope and added to the ‘devices’ definition. A thin client is a computer that runs from resources stored on a central server instead of a localized hard drive.
  • Added a new device unlocking requirement to the ‘secure configuration’ control. This means that a device should permit no more than 10 guesses in 5 minutes or locking devices after no more than 10 unsuccessful attempts.
  • Added a new statement clarifying the inclusion of end user devices in the scope of certifications.
  • Further information on unsupported applications added to the ‘security update management’ control.
  • Removed specific ‘email, web, and application servers’ from control definitions and replaced with ‘servers’.
  • Updated the bring your own device (BYOD) section. Devices which can use native voice applications (phone calls), native text applications (text messages) or multi-factor authentication application are not in scope.
  • Updated the wireless devices section. If an attacker cannot attack the device directly form the internet then it would not be in scope.
  • Added a new ‘servers’ definition. These are now specific devices that provide organisational data or services to other devices.
  • Added a new ‘sub-set’ definition and information on its impact on the scope. This can be an area of the business which is separated by a firewall or VLAN.
  • Added a new ‘licensed and supported’ definition – a legal right to use the software.