Cyber Essentials Checklist 2025

In today's digital age, safeguarding your organisation's data is paramount. Achieving Cyber Essentials Plus compliance can significantly enhance your security posture.

Cyber Essentials Changes for 2025

For 2025, Cyber Essentials introduces significant updates to its technical requirements, focusing on user device categorisation and enhanced malware protection mechanisms. Notably, user devices are now categorised more distinctly, emphasising the importance of managing risks associated with different device types. This adjustment ensures that organisations allocate appropriate security measures based on device vulnerabilities.

Here's a step-by-step guide to help your organisation navigate this process effectively.

Step 1: Monitor Your 14-Day Patching Window

The 14-day patching window is a cornerstone of Cyber Essentials Plus, with 99% of internet-originating vulnerabilities being mitigated through its technical controls. Regularly updating your systems within this timeframe is crucial for maintaining robust security. The scheme looks at CVSS Score 7 and above or 'high risk' or 'critical' security updates. They need to have applied the updates within this timeframe, not just tested them. This can be automated or manual; where risks aren't categorised, they will still be included within the 14-day requirements. 

Step 2: Prepare for the Scheme Change

Come April 2025, the Cyber Essentials scheme will transition from Montpellier to Willow. Stay informed by checking your inbox for updates to ensure a seamless transition, as this change could affect your compliance strategy.

Cyber Essentials 'Willow' is set to roll out soon, introducing significant changes to better align with the evolving threat landscape. As cyber threats continue to grow in sophistication, the new questions are designed to reflect the latest security practices, ensuring that organisations can adequately mitigate risks.

The core focus remains on the five key technical controls that constitute the first line of defence. These controls—firewalls, secure configurations, user access controls, malware protection, and patch management—will be emphasised in the updated framework to ensure businesses can effectively guard against emerging threats.

The Changes Summarised: 

• Passwordless guidance has been added to user access control

• ‘Software’ definition updated

• ‘Vulnerability fix’ definition added

• ‘Passwordless’ definition and description added

• Update to security update management control to include vulnerabilities that are fixed by manual configuration only

• References to ‘home working’ changed to ‘home and remote working’

Step 3: Utilise Free IASME Resources

Leverage the wealth of free resources provided by IASME. These materials are designed to aid your understanding and implementation of necessary security measures, helping you fortify your defences against cyber threats.

The following documents are key:

• Cyber Essentials: Requirements for IT infrastructure
• Question Set Cyber Essentials Willow (Montpellier for the current scheme)
• Cyber Essential Readiness Toolkit - https:// getreadyforcyberessentials.iasme.co.uk

Step 4: Include BYOD Devices in Security Checks

Bring Your Own Device (BYOD) practices can introduce vulnerabilities if not managed correctly. Ensure all devices accessing organisational data are included in your security checks to maintain comprehensive protection.

BYOD primarily includes personal phones but may also include tablets or laptops. These devices will need security controls applied. This does not include devices used only for texting, voice calls, or Multi-factor Authentication (MFA) applications. It is easy to allow access to work emails or files on these devices, but it can come with severe risks to security.

Step 5: Remove or Disable Old User Accounts

Old user accounts can pose security risks as they may contain outdated software. Conduct regular audits to remove or disable these accounts, thus minimising potential vulnerabilities during scans.

Redundant accounts, especially local admin accounts, can create significant risk. The default user accounts in Windows have administrator privileges and have more ability to do things that standard users would not be able to do. Ensure that even ‘guest’ accounts commonly available on devices are deleted/disabled. Often, in vulnerability scans, we see duplicate line items for one vulnerability/CVE due to 2 or more users having logged into one device over time. The redundant account that ‘once’ logged in can harvest vulnerabilities, especially in software that is unable to update.

Step 6: Recognise Commercial Benefits

Beyond enhancing security, Cyber Essentials certification can boost your market competitiveness. With 69% of businesses noting improved competitiveness, it's a strategic investment that can differentiate your company.

It can help attract new business or funding from organisations that require the certification. It can allow you to apply for government contracts. Once aligned with the scheme and efficient processes are put in place, it can even help increase the productivity of IT teams. It is like a yearly MOT check for your car but for your cyber security, with re-certification every 12 months.

Step 7: Check Devices for Remote Workers

The rise of remote working necessitates regular checks on home devices. Ensure they are correctly integrated into your asset management systems to maintain a secure network across all work environments.

This is especially important if you rely on less automation or technical tooling. For example, manual patching is typically used by an SME with less expenditure on technology than an Enterprise organisation.

Check software firewalls or VPN configurations where the boundary of your network is transferred. If you are using asset management or patching tools, ensure they are reporting correctly by cross-checking to the devices themselves. In addition, ensure you have policies and procedures to support remote and home working which are regularly reviewed.

Step 8: Involve the Right Teams and Senior Management

Cross-departmental collaboration is key to success. Engage the appropriate teams and keep senior management informed, as 86% report an improved understanding of cyber risks through Cyber Essentials, enabling better strategic oversight.The road to gaining your Cyber Essentials and/or Cyber Essentials Plus certification needs to involve the correct people or teams to avoid hindering the process. Ensuring that internal communication is provided for clarity on the testing that will be completed and what they should expect. Ensure there is one main point of contact for the assessment and that they have the powers to assist or that the relevant person is involved with sufficient decision or device powers.

‍

By following these steps, your organisation can achieve Cyber Essentials Plus compliance, bolstering your security framework and positioning your business as a secure and competitive player in the digital marketplace.

Watch Elly's summary video below!

‍