What is in store for Cyber Essentials and Cyber Essentials Plus in 2025
Cyber Essentials and Cyber Essentials Plus is a vital security framework for the Education sector, not only for ensuring basic security measures are in place but also for funding and contract requirements.
In today’s digital world, the education sector is increasingly reliant on technology for everything from administrative tasks to student learning. However, this reliance comes with heightened risks as colleges, and universities become prime targets for cybercriminals. Educational institutions handle vast amounts of sensitive data, including personal information about students, staff, and financial details, making them attractive targets for hackers. This is where Cyber Essentials and Plus comes in — a crucial tool to help educational organisations safeguard themselves against these evolving threats.
In this blog, we’ll explore what is around the corner for Cyber Essentials and Cyber Essentials Plus, how it can benefit the education sector, and how colleges and universities can prepare for certification.
What is Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a UK government-backed cybersecurity scheme designed to help organisations protect themselves from a wide variety of common cyber threats. While the basic Cyber Essentials certification involves a self-assessment, Cyber Essentials Plus requires an independent external assessment and verification, providing a higher level of assurance.
The certification focuses on five key areas of security:
1. Firewalls and Internet Gateways – Ensuring that firewalls are configured properly to protect networks from unauthorised access.
2. Secure Configuration – Guaranteeing that systems and devices are securely set up to reduce vulnerabilities.
3. Access Control – Managing user accounts and privileges to limit access to sensitive information.
4. Malware Protection – Installing effective anti-malware solutions to detect and prevent attacks.
5. Patch Management – Keeping software and hardware up to date to fix security weaknesses.
What is the new question set?
As technology and times change, so must the question set. We are currently on the Montpellier question set, which comes with its difficulties such as BYOD and MFA. The next question set will be called Willow and will be in effect from 28th April 2025. Members will be glad to know that the next iteration will not contain massive changes, but merely updates more than anything.
What is new for the Cyber Essentials self-assessment?
While there have not been vast amounts of changes made to the upcoming question set, passwordless authentication has now been added as an option. Passwordless authentication is becoming a key method that will one day remove the need for passwords. Options such as biometric authentication, security keys, and one-time codes, further enhance security by moving away from traditional passwords. These can include the likes of Windows Hello for Business as an example. Some useful information from the NCSC on this aspect.
There is a change to the home workers question to include remote workers with the scope now explicitly including users working on untrusted networks like cafes or hotels, ensuring that remote workers are secure.
Where security updates are concerned organisations must apply not only patches but also other vendor-provided vulnerability fixes, like configuration changes, within 14 days of release. These ‘vulnerability fixes’ will include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.
The reference of ‘plugins’ will be referred to as ‘extensions’. Making this change better captures the broad range of additional features these tools provide.
The new Willow question set is available for viewing. Do note it does not come into effect until 28th April 2025.
A new requirements document is now ready to view for the Willow question set.
What is new for the Cyber Essentials Plus audit?
While the CE Plus audit has always been required to be the same scope as the CE self-assessment, this is now outlined as a requirement and verified by the assessor carrying out your audit.
When completing a Cyber Essentials self-assessment, it’s crucial that the defined scope is clear and accurate. If the scope doesn’t cover the whole organisation, it’s essential for the Assessor to verify that any sub-sets within the organisation are properly segregated. This ensures that the assessment applies to the relevant systems without risking security loopholes in unassessed areas.
Additionally, the Assessor must confirm that the sample size of devices being assessed has been calculated correctly. This process ensures that the sample accurately reflects the organisation’s network and security posture. These checks are critical to maintaining the integrity and effectiveness of the Cyber Essentials certification process.
A new test specification document is also released in preparation for next year.
Please see a blog post released by IASME covering these aspects in further detail.
Cyber Essentials Plus (CE+)
While Cyber Essentials helps organisations to establish a baseline level of cybersecurity, Cyber Essentials Plus goes a step further by requiring a hands-on technical review by a qualified assessor. This ensures that the recommended controls are not just in place but are actively functioning as intended.
CE+ must be achieved within 3 months of gaining your self-assessment. This timeframe includes a 30-day remediation window to ensure anything found within the audit can be remediated. This 30-day remediation window must be within the 90 day requirement. For example, if you pass your self-assessment on 30/10/2024, you will have until 30/01/2025 to achieve CE+. If your CE+ audit is completed on 05/01/2025 you will only have 25 days to remediate anything found within the audit, such as patching vulnerabilities.
Achieving Cyber Essentials Plus certification requires thorough preparation and commitment. Here’s how educational institutions can get ready:
- Conduct a Gap Analysis
Before applying for certification, you should perform an internal assessment to identify gaps in their current cybersecurity posture. This might involve reviewing existing policies, systems, and technologies to ensure they align with the Cyber Essentials Plus requirements. Make use of your 1 hour advice and guidance session to have your questions answered.
- Implement the Cyber Essentials Controls
The five key areas of security—firewalls, secure configurations, access control, malware protection, and patch management—should be fully implemented. This may involve configuring firewalls to block unauthorised traffic, enforcing strong password policies, and regularly updating software across all systems and devices.
- Test Security Measures
It’s crucial to test whether security controls are working as intended. This could include internal vulnerability scanning, penetration testing, and other forms of auditing to ensure that any weaknesses are identified and resolved before the external assessment.
- Engage a Certification Body
As an accredited certification body, Jisc can carry out the Cyber Essentials Plus assessment as well as the self-assessment. By engaging with a reputable body to begin the certification process we will ensure you are adequately prepared.
- Staff Training and Awareness
Make everyone aware of their involvement to help you achieve certification. CE+ requires initial preparation to ensure devices are selected in advance of the audit and gives you time to ensure people are available for the assessor to carry out the audit on devices. If the audit has been well prepared, it should be plain sailing from that point onwards.
- Maintain Ongoing Compliance
Achieving Cyber Essentials Plus is not a one-time event. Cyber threats are constantly evolving, and you must regularly review and update your security policies and procedures to stay compliant and protect your networks long-term.
Conclusion
For the education sector, Cyber Essentials and Cyber Essentials Plus is not just a certification but a vital component of a robust cybersecurity strategy. With the increasing digitalisation of learning environments and the growing risk of cyberattacks, colleges and universities must take proactive steps to secure their data and networks.
By investing in Cyber Essentials and Plus, educational institutions can protect sensitive information, ensure regulatory compliance, and foster a culture of cybersecurity awareness. In an age where data breaches are on the rise, this certification provides peace of mind, knowing that your institution has taken the necessary steps to mitigate cyber risks and safeguard its future.
Investing in cybersecurity isn’t just about compliance—it’s about ensuring the safety and success of the educational mission. Cyber Essentials and Plus provides a structured, trusted framework to help institutions achieve that goal.