Cloud Technology & IT Security Specialists Ask a question 01223 921 000 Client Area

The New Cyber Essentials Changes

The new Cyber Essentials changes were introduced at the end of January 2022. This article reveals what the changes are and what you should be doing as a business to remain protected. We mention the main aspects of the certification as well as price changes and other aspects you need to be aware of.

What Is Cyber Essentials?

Cyber Essentials is a scheme backed by the UK government to encourage organisations to adopt good practice with regards to online security. The certification you receive once various checks on your company have been made, shows you have implemented industry regognised practices and tools. In turn, this shows customers and authorities that you have implemented various methods to keep your business and its data secure. There is Cyber Essentials and a Cyber Essentials Plus option, which we have covered in detail in a previous blog.

Why Is Cyber Essentials Changing?

The National Cyber Security Centre (NCSC) who are backed by the UK government have not issued many significant changes since the scheme started in 2014. Essentially what they are doing is adapting to the way people work. The work environment has changed very much from 2014 to 2022 and even more so from 2020 – 2022. Therefore, these changes reflect this. The digital world has changed greatly and the increase of cloud services since 2014 has grown, plus with many working from home. These all cause potentially new threats and thus changes have been made to uplift current practices and procedures.   

What Are The New Cyber Essentials Changes?

The five pillars of the certification will remain the same, but there are some updated specifications. The 5 main technical controls to Cyber Essentials are:

  • Boundary firewalls and internet gateway
  • Secure configuration
  • Access control
  • Malware protection
  • Patch management

The updated additions to Cyber Essentials are listed below.

Home Working Devices

Now any home-based device that an employee uses for work will fall within the sphere of Cyber Essentials, whereas previously it wasn’t. The result is that an employee’s firewall settings on any device that they use must comply with the new Cyber Essentials guidelines to gain a new certification. At Cambridge Support we feel this is a wise move as many now work from home and home networks generally have less protection that business networks. This will further help the UK be protected from cyber-attacks, especially as many attacks come from other countries, like Russia.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is now a requirement with the new Cyber Essentials changes. MFA is a method that asks a user to provide two or more verification aspects to gain login access. This could be an application, an online account or a VPN. This is now expected to be followed under the new changes.

Cloud Services

Cloud services are almost used by every company in the UK and they have grown in popularity in recent years. Cyber-attacks on companies increased by 50% in 2020 and 2021. Therefore, this is more reason for added protection, especially in cloud-based services. Cloud services were not previously part of the accreditation, but now they are. User access control and secure configuration are part of new measures.


Previously there were only two prices, one for Cyber Essentials and another for Cyber Essentials Plus. This is now changing to be priced in accordance with the organisation size, meaning a Cyber Essentials certificate will increase in cost for larger businesses.  The move to the tiered model is shown below with guidance on the new standard Cyber Essentials certificates.

  • Micro organisations of 0-9 employees = from £300 per certificate (plus VAT)
  • Small organisations of 10-49 employees = from £400 per certificate (plus VAT)
  • Medium organisations of 50-249 employees = from £450 per certificate (plus VAT)
  • Large organisations of 249+ employees = from £500 per certificate (plus VAT)

Software Updates

Previously companies could choose whether they apply new updates to their software or not. However, this has now changed. As of 24th January 2022, all updates whether high or critical risk need to be installed within 14 days from when the update was released. Also, any software that is installed on in-scope devices need to meet the follow criteria.

  • Fully licensed & supported by the developer (for example, Microsoft)
  • Removed from any device that is no longer in scope
  • Ensure that automatic updates are enabled
  • Have any high or critical update installed within the first 14 days of its release date

How Cambridge Support Can Help

Cambridge Support are always just a ring away. We can help guide you through your specific security risks with Cyber Essentials. Our experts can assess your current IT systems and provide detailed solutions and helpful reporting. We have great experience in many security focused services. These not only include offering Cyber Essentials, but also include security audits, Microsoft 365 audits, penetration testing, and more.

If you have any questions regarding Cyber Essentials, our Service Delivery Managers Adam & Amy will be happy to help. Please contact us on 01223 921 000. Cambridge Support is open from 7am – 7pm Monday to Friday. Alternatively, you can email us at