Changes to the Cyber Essentials Scheme 2022

Changes to the Cyber Essentials Scheme 2022

Written by James Tucker, Senior Digital Forensics Practitioner & Cyber Essentials Assessor at Arcanum

Major changes will be made to the Cyber Essentials scheme on January 24th 2022. The changes include updated pricing, a new Cyber Essentials question set and new tests for Cyber Essentials Plus assessments.


Going forward, the cost for a Cyber Essentials assessment will be dependent on the size of your business:


Cyber Essentials

Cloud services:

  • All cloud services will now be in scope of the assessment.
  • From January 2022, all cloud service administrator accounts will need to be protected by multi factor authentication.
  • From 2023 all cloud service user accounts will also need to be protected by multi factor authentication.

Home working:

  • Anyone working from home for any amount of time will now be classed as ‘home working’, Devices used by an individual to access company data, whether company provided, or BYOD will be covered by the assessment.
  • Routers provided by internet service providers are no longer in scope of Cyber Essentials. Though if networking devices are provided by the business this will be in scope.

Account separation:

  • Administration accounts should not be used to carry out day-to-day web browsing or email activities.

Password and multifactor authentication

Password usage should be supported by one of the following:

  • Multifactor authentication.
  • Throttling the rate of unsuccessful attempts.
  • Locking account after no more than 10 unsuccessful attempts.

Updates to definitions

To assist applicants, the definitions of ‘sub-set’ and ‘licensed and supported’ have been clarified.

  • “A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN. A sub-set can be used to define what is in scope or what is out of scope of Cyber Essentials.”
  • “Licensed and supported software is software that you have a legal right to use and that a vendor has committed to support by providing regular patches or updates. The vendor must provide the future date when they will stop providing updates. The vendor does not have to be the original creator of the software, but they must have the ability to modify the original software to create updates.”


Cyber Essentials Plus

The following changes apply to Cyber Essentials Plus assessments.

For Cyber Essentials Plus testing taking place on the new question set, there will be two new tests:

  • Test to confirm account separation between user and administration accounts.
  • Test to confirm MFA is required for access to cloud services.

For vulnerability scan results, all issues with a CVSSv3 score of 7.0 or higher will need to be remediated to pass the assessment.

Arcanum can support you in reaching your cyber essentials certification. Get in contact with us if you’d like to discuss this further with one of our team:
02922 784452

IASME’s blog on the changes can be found here

The up-to-date requirements for infrastructure and question set can be found here