Cyber Essentials: What's New in 2022?

Written by Cyber Tec Security
Jan 18, 2022 - 3 minute read

The Cyber Essentials standard is changing. Find out what IASME and the NCSC have been working on and what we can expect the scheme to look like in 2022...

A new year, a new Cyber Essentials - well, not quite. But there are some significant changes coming in from 24th January. 

Read on to find out what updates are being made to the scheme and how this might affect your business.

What's going on?

At the end of December 2021, it was announced by IASME and the NCSC that there would be some of the technical control requirements that make up the Cyber Essentials would be changing. 

This is not the first time Cyber Essentials has undergone changes. With cyber threats evolving constantly, the scheme has to keep up, ensuring businesses are giving themselves adequate protection. 

What's changing?

Home devices and routers

Home working is still very much a part of our lives and as such it as become an important aspect of the Cyber Essentials requirements.

The updated standard will include all home devices used to access company information, but home routers provided by the home worker will not be in scope. Cyber Essentials firewall controls will be applicable to the home worker's devices.

What else is in scope?

  • Thin clients that allow access to company information
  • All servers, even if on a sub-set (separate network to rest of organisation, separated by firewall of VLAN)
  • Smart phones and tablets when accessing company information or connecting to 4G or 5G networks.

Also, note that the new assessments must include end-user devices as part of their scope, not just servers.

Cloud services fully incorporated

All cloud services utilised by a company will now have to have Cyber Essentials controls implemented. This is to encourage users to take full responsibility for their security and not solely rely on their cloud service provider. Although some controls may be the cloud service providers duty to implement, the company should still ensure they seek evidence that this has been done.

Access to cloud services must be protected by MFA

We often hear of the importance of password security, but with credential theft and attacks on cloud services increasing, the Cyber Essentials standard is making stronger passwords and multi-factor authentication a requirement for companies using cloud services.

Passwords will have to be at least 8 characters and a second authentication method activated for additional protection of accounts.

This will now be tested as part of the Cyber Essentials Plus audit.

Other password related requirements:

  • password-protected areas should either have MFA activated, login throttling, or account locking after (up to) 10 unsuccessful attempts
  • All passwords must follow one of the following policies:
    • MFA and a password of at least 8 characters
    • A password of at least 12 characters
    • A password of at least 8 characters and automatic blocking of common passwords
  • Biometrics or a password/pin of at least 6 characters should be used to lock a device


Any updates labelled by the vendor as 'high' or 'critical' (those that address vulnerabilities with a CVSS score of 7+) should be applied within 14 days. Automatic updates are advised where possible.

All software should also be properly licensed and supported by the vendor, and any end-of-life software should be removed.

Account Separation

There must be a separation between user and administrative accounts with standard activities like emailing and web browsing avoided on admin accounts.

On the updated standard, this account separation will be tested as part of the Cyber Essentials Plus audit.

How will these updates affect you?

If you are currently undertaking a Cyber Essentials assessment or purchase one before 24th January, don't worry. You'll continue to be tested on the current question set and will have up to 6 months from 24th Jan to complete the assessment and achieve certification.

Any assessments purchased after 24th, however, will be against the new updated standard. To review the full question set from IASME click here.

If you start Cyber Essentials before the 24th and are continuing on to Cyber Essentials Plus, this will be against the same standard even if after 24th, as long as it is completed within 3 months following Cyber Essentials.

New tiered pricing structure

The cost of Cyber Essentials will be another major change to the scheme introduced in January 2022. IASME are bringing in a new tiered pricing structure, whereby the costs of certification will depend upon organisation size. This is due to assessments becoming increasingly complex under the updated standard and requiring greater technical input from assessors.


At Cyber Tec Security, we have adapted our pricing system to reflect these changes from IASME, as well as introducing new guided options to offer further support as businesses work to achieve this standard. 

You will able to view these new service options and pricings on this page from 24th January.