Version 3.2 of the NCSC’s Cyber Essentials standard (IASME codename Willow) will go live from 28-April-2025. This version sees improved question wording and links to additional guidance. An important technical update is the acceptance of passwordless authentication. Checkout the NCSC’s Cyber Essentials v3.2 requirement document here.
Whilst the scope of Cyber Essentials Plus is exactly the same as Cyber Essentials, testing CE+ sees some interesting changes:
- The scope of the CE assessment must be verified by the Assessor.
- When the scope is not ‘whole organisation’, the Assessor must verify that any sub-sets have been segregated correctly.
- The Assessor must verify that the device sample size has been calculated correctly using the method determined by IASME.
- Instead of referring to ‘patches’ the new term is ‘Vulnerability Fixes’ which include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.
The NCSC’s updated Cyber Essentials Plus Test specification, can be found here.