Forensic Control

Cyber Essentials changes – a guide

An ever-changing digital landscape, wide-spread use of cloud services and a move to home and hybrid working is behind the biggest update to Cyber Essentials since its launch in 2014.




An ever-changing digital landscape, wide-spread use of cloud services and a move to home and hybrid working is behind the biggest update to Cyber Essentials since its launch in 2014.

With a new question set, comes a new version name; this will be known as the Evendine question set.

The changes will take effect for all applicants from 24th January 2022. To help you understand what these changes may mean for you, we provide an outline of the major changes below.

Homeworker? Your router isn’t in scope unless provided by the applicant company

Home routers provided by ISPs or by the homeworker are out of scope. The Cyber Essentials firewall controls are transferred to the home worker’s device (laptop, tablet and/or phone).

Routers supplied by the applicant company *are* in scope and must have the Cyber Essentials controls applied to them. The use of a corporate (single tunnel) VPN transfers the boundary to the corporate firewall/virtual cloud firewall

All Cloud services are in scope. Multi-factor authentication must be used to access these

Use of MFA to access any cloud service is a requirement for administrator accounts from January 2022, and for *all* accounts from January 2023

This covers Software as a Service, Infrastructure as a Service, and Platform as a Service (SaaS, IaaS and PaaS). Examples of these include:

  • SaaS – Microsoft 365, Google Workspace, Dropbox, HubSpot
  • IaaS – Servers (Windows or Linux) hosted in Microsoft Azure or AWS EC2
  • PaaS – AWS Lamda, Google App Engine

New password requirements, and protections against brute-force attacks

At least one of the following protections should be used to protect against brute-force password guessing:

  • Use of multi-factor authentication
  • Throttling the rate of unsuccessful or guessed attempts.
  • Locking accounts after no more than 10 unsuccessful attempts.

Technical controls are to be used to manage the quality of passwords. This includes one of the following:

  • Using multi-factor authentication in conjunction with a password of at least 8 characters, with no maximum length restrictions.
  • A minimum password length of at least 12 characters, with no maximum length restrictions.
  • A minimum password length of at least 8 characters, with no maximum length restrictions and use automatic blocking of common passwords using a deny list

It is now recommended that three random words are used to create a password that is long, difficult to guess and unique.

The scope of an organisation must include end-user devices

If an organisation certifies their server systems only, they ignore the threats that come from their administrators who administered those server systems. The change to this requirement closes the loophole where organisations were able to certify their company without including any end user devices. Cyber Essentials must now include end point devices.

Thin clients are in scope

A thin client is a ‘dumb terminal’ that gives you access to a remote desktop. It doesn’t hold much data, but it can connect to the internet. Thin Clients need to be supported and receiving security updates – this is a recommendation at present, becoming a requirement from January 2023.

All high & critical updates must be applied within 14 days

All software in scope must be updated within 14 days of an update being released, where:

  • The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
  • The update addresses vulnerabilities with a CVSS v3 score of 7 or above
  • There are no details of the level of vulnerabilities the update fixes provide by the vendor

Guidance on backing up

Backing up your data is not a requirement of Cyber Essentials, however there is now guidance on backing up important data and implementing an appropriate backup solution is highly recommended. In our opinion it is not only highly recommended, it is absolutely vital.

Cyber Essentials Plus changes – two additional tests

Cyber Essentials Plus assessors will now also check for the following;

  • Test to confirm account separation between user and administration accounts
  • Test to confirm MFA is required for access to cloud services.

Related content

As computer forensics experts we are bound to abide by the ACPO Principles of Digital Based Evidence, ACPO being the Association of Chief Police Officers. ACPO provides a set of Guidelines for Computer Based Evidence, and they come with a suite of four essential principles. Here they are.
Computer forensics, sometimes known as digital forensics, is undertaken by trained examiners who pull data (search histories, purchase records, time logs and more) from devices including, but not limited to: computers, tablets, and smartphones.


Sign up here if you wish to receive updates and news from Forensic Control by email. We will not send you anything else and you may end the subscription at any time.

By providing your email address, you agree to receive marketing
messages as per our Privacy Policy