020 3633 3182
Client Portal
Cyber Essentials

What is changing with
Cyber Essentials?

Cyber Essentials is getting stricter in several important areas. Here is what firms need to know and what it means in practice.

The changes
6 things that are tightening up
1
MFA is now non-negotiable
If your firm uses a cloud service that offers multi-factor authentication, you must have it switched on. That includes services where MFA is a paid add-on. If you do not have MFA in place where it is available, you will automatically fail.
Automatic fail if MFA is not enabled
2
Critical security updates must be installed within 14 days
If high-risk or critical updates are released, they must be installed within 14 days. This applies to:
  • Operating systems
  • Applications
  • Router firmware
  • Firewall firmware
Missing updates can now cause an automatic fail
3
You need to be clearer about what is covered
Firms will need to define their Cyber Essentials scope more clearly. That means:
  • Stating which legal entities are included
  • Explaining what is excluded and why
  • Being clearer about the systems and services covered
Cloud services storing your data cannot be left out of scope
4
Certification is based on the date the certificate is issued
Cyber Essentials is a point-in-time certification, and IASME is making it clearer that this means the date your certificate is issued. Your systems must still be supported and compliant at that point.
5
Directors are effectively signing up to maintain standards all year
The declaration signed during the assessment will now make it clearer that the business is expected to keep meeting the controls throughout the certification period - not just on the day the form is completed.
6
Cyber Essentials Plus is being tightened up too
For Cyber Essentials Plus, assessors will do more to check that firms have fixed issues across the full environment, not just on the small sample of devices tested. Firms also will not be allowed to change their self-assessment answers after the Plus testing has started.
What this means for your firm

Getting the basics right every day

For most SME law firms, these changes are really about treating Cyber Essentials as an ongoing standard rather than a once-a-year exercise. Here are the practical takeaways.

Make sure MFA is switched on across Microsoft 365 and any other cloud systems your firm uses

Have a reliable process for installing critical updates within 14 days of release

Know exactly which users, devices, offices and cloud services are in scope for your certification

Avoid leaving old or unsupported systems in place - these will now cause problems at assessment

Treat Cyber Essentials as an ongoing standard, not a once-a-year form-filling exercise