Attention all UK organisations! Are you ready for some Cyber Essential updates? 

In April 2023, the NCSC and IASME are updating the technical requirements for Cyber Essentials, The ‘Montpellier’ question set will replace Evendine! That's right, it's time to update your cybersecurity game and guard against the most common cyber threats.

Last year, the scheme underwent a major update, but this year's update is going to be “lighter,” don't let that fool you, it's still going to pack a punch. We're talking clarifications, important new guidance, and much more. Some of the key updates include:

User devices:

Say goodbye to the tedious task of listing every single device model! Now, only the make and operating system of user devices need to be listed. This means less hassle for applicants and a smoother application process.


Keeping firmware up to date can be a headache, but fear not! The new update clarifies that only router and firewall firmware need to be kept up-to-date and supported—no more confusion about which firmware needs updating.

Third-party devices:

Third-party devices can now be included in the certification process without breaking a sweat. A new table has been added to provide clear guidance on including these devices.

Device unlocking: 

Are you sick of struggling with device settings that can't be changed? Well, you're in luck! If the default settings on a device can't be changed, it's now acceptable to use those settings. More flexibility for applicants and easier compliance with requirements.

Malware protection: 

Anti-malware software just got a whole lot simpler. The new update clarifies which mechanism is suitable for different types of devices and eliminates the need for signature-based software. Say goodbye to sandboxing as an option, too.

Other Updates to note:
  • The definition of ‘software’ has been updated to clarify where firmware is in scope.
  • Asset management is essential in Cyber Essentials (see what we did there) and it means creating, establishing and maintaining authoritative and accurate information about your assets that enables both day-to-day operations and efficient decision-making when you need it.
  • The use of unsupported software is not allowed unless there are mitigating controls in place.
  • Multi-factor authentication (MFA) is required for all remote access services and administrative accounts.
  • The use of encryption is required for data at rest on removable media and portable devices.

That's not all! 

The update includes new guidance on achieving Cyber Essentials certification using a zero-trust architecture and highlights the importance of asset management.

The document itself has undergone some changes, too. Several language and format changes have been made to make it easier to read and understand. Plus, the technical controls have been reordered to align with the updated self-assessment question set.

Last but not least, the CE+ Illustrative Test Specification document has been updated to align with the new requirements. The refreshed set of Malware Protection tests makes life easier for both applicants and assessors.

All of these changes were made based on feedback from assessors and applicants and in consultation with technical experts from the NCSC. But that's not all. IASME is providing even more guidance to help you during the certification process, including articles to help you understand the questions and access a dedicated knowledge base.

The update will take effect from 24 April 2023, so get ready to level up your cybersecurity game. 

For more information, check out FAQs. Let's do this!