SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Flux result c9b6a2b0 f883 420a ac51 f98ab3ff4890
#
Data Protection
#
Network Security
#
MFA

Cyber Essentials update raises bar on visibility gaps

Fri, 24th Apr 2026 (Today)
Author image
By Mark Tarre, News Chief

ThreatAware has warned organisations to close cybersecurity visibility gaps ahead of changes to the UK's Cyber Essentials scheme. The updated version introduces stricter checks for certification.

The revised standard adds two automatic failure conditions and raises the bar for proving that key controls are in place across full IT environments. The five technical controls at the heart of Cyber Essentials remain unchanged, but the assessment process will place greater weight on whether those controls are consistently enforced in practice.

Under the changes, any cloud service that supports multi-factor authentication must have it enabled. A single account without MFA would trigger an automatic failure.

Another change shortens the window for fixing critical and high-risk vulnerabilities. Organisations will need to remediate those issues within 14 days across endpoints, applications and network infrastructure.

Scrutiny during assessments is also set to increase. If sample testing identifies failures, organisations will need to fix the same issues across the whole environment before they can be reassessed.

Stricter checks

IASME has published the update, which is backed by the National Cyber Security Centre. For many UK organisations, Cyber Essentials certification remains a basic requirement for working with government departments and parts of the wider supply chain, and it is often linked to cyber insurance conditions.

That makes the practical effect of the revised rules significant for companies that rely on certification to win or retain contracts. The changes shift the focus from written policy to proof that controls are active across all users, devices and systems.

Common weak points include misconfigured conditional access policies, unmanaged or guest accounts, devices outside patching windows, and unsanctioned software-as-a-service use. Under the updated framework, any one of those gaps could be enough to prevent certification.

Jon Tamplin, Head of Cybersecurity at ThreatAware, said: "These updates reinforce a fundamental cornerstone of cybersecurity: when organisations get the basics right, they prevent the vast majority of attacks. And it starts with one essential principle - visibility.

"Visibility isn't a nice-to-have; it's the foundation of effective security. Think about this from the attacker's perspective: they're looking for the easiest path. A high-risk account where MFA isn't enforced can quickly lead to a compromised device."

Proof required

The emphasis on evidence reflects a broader trend in cyber compliance, with auditors and certification bodies increasingly wanting to see operational controls rather than policy statements. In practice, that means security teams must be able to account for every relevant device and user account, including those outside standard management processes.

For larger organisations, that can be difficult when estates include a mix of on-premises systems, cloud applications, third-party tools and temporary accounts. Guest users, shadow IT and assets outside central management often create the blind spots that compliance frameworks are now trying to eliminate.

Tamplin said: "If security leaders can't identify where these gaps are, they're effectively working with one hand tied behind their back. Teams are doing their best, but it only takes one device without the right security controls to expose an entire network.

"If you can't see every device and every account, you can't prove the controls are working. Under v3.3, proof is exactly what's required, and it only takes one device outside the patch window or one account without MFA enforced to fail an assessment.

"The message behind the Cyber Essentials updates is simple: get the fundamentals right. Those fundamentals haven't changed, but expectations have. Organisations should not only have core controls in place, from patching to EDR and MFA, but also be able to prove they are applying them across every account and every device, all the time, to meet the 'Five Controls'."

The revised requirements apply immediately to new certification accounts created under the updated scheme, while organisations with existing accounts have a six-month transition period to certify under the previous standard. That phased approach gives some businesses extra time, but it also creates a near-term decision for organisations that need certification for procurement, supplier assurance or insurance purposes.

ThreatAware, founded in 2018, works with more than 100 organisations across the UK, US and Canada.

Related stories
Cyber-attacks top risk for professional firms in 2026
Cloudsmith raises USD $72 million in Series C round
Turning security into a story: How managed service providers use reporting to drive retention and revenue
Barracuda spots 7 million device code phishing attacks
Commvault extends Clumio support to Google Cloud Storage

Top stories

BlackBox Hosting partners Everpure for sovereign cloud
Locai Labs deploys AI coding assistant at First Light Fusion
Vodafone & Google Cloud launch AI & security tools
Infosecurity Europe adds AI summit amid cyber defence shift
ISACA launches AI risk certification amid governance gap