Cyber Essentials Update 2022 

 |  Nurah

The aim of this blog post is to give you a summary of the important changes to the Cyber Essentials Scheme. 

What is Cyber Essentials? 

Cyber Essentials is a government-backed scheme that was created to help organisations demonstrate they have the appropriate security in place. Achieving the standard helps organisations demonstrate they are taking the necessary steps to protect themselves from cyber security attacks and to keep customer data safe. Once these risks are identified and managed, the organisation will be awarded the Cyber Essentials certificate.

Why are changes occurring to Cyber Essentials? 

Over the past two years, the adoption of cloud services has massively increased due to the pandemic, as well as home/hybrid working now being the new norm for many people and organisations nationwide. As employees are using their own devices and Internet routers for work purposes, these changes have significantly increased the risk landscape, providing cybercriminals with additional opportunities to exploit. Therefore, Cyber Essentials will now take these into consideration during the assessment process. 

What changes occurred to Cyber Essentials? 

Cloud services: 

Cloud services are now fully integrated into the scheme. If an organisation’s data or services are hosted in the cloud, they are subject to Cyber Essentials, and the organisation is responsible for ensuring the right controls are implemented.  

There are three different types of cloud services. For example, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Who implements the controls will differ based on the design of the cloud service used. 

Home Working: 

Any devices used by remote workers to gain access to organisational information, whether they are owned by the organisation or not, are now covered by Cyber Essentials. 

  • BYOD home working devices are in scope. 
  • ISP supplied Home routers are out of scope. 
  • Home users by default will rely on the Software Firewall. 
  • A router supplied by the applicant’s company for use at home is in scope. 
  • The use of a corporate VPN transfers the boundary to the corporate firewall. 

Passwords and multi-factor authentication: 

Due to the rise of attacks on cloud services, multi-factor authentication must now be used to provide additional security while connecting to cloud services. MFA requires users to provide several credentials, before being able to access an account. 

There are four types of additional factors that may be considered: 

• A managed/enterprise device 

• An app on a trusted device 

• A physically separate token 

• A known or trusted account 

software updates: 

All software on in-scope devices must be: 

  • Licenced and supported.  
  • Removed from devices when it becomes unsupported.  
  • Have automatic updates enabled, where possible.  
  • Updated within 14 days of an update being released.


  • All smartphones and tablets connecting to organisational data and services are confirmed in scope when connecting to business networks or mobile Internet such as 4G and 5G.  
  • Biometrics or a minimum password/PIN length of 6 characters must be used to unlock a device.  
  • The scope of an organisation must also include end-user devices. 

Click here to find out more about the Cyber Essentials changes. 


ASME. 2022. The January changes to the Cyber Essentials scheme reflect the changing cyber threats in today’s digital environment – Iasme. [online] Available at: <> [Accessed 26 January 2022]. 2022. We think Cyber Essentials is, well, still essential …. [online] Available at: <> [Accessed 26 January 2022]. 

Subscribe to Our Newsletter


500 King Street, Longton, Stoke-on-Trent, ST3 1EZ

Need Help?