The UK Cyber Essentials Scheme continues to develop in terms of its content and its uptake. Certainly for a small to medium sized business there isn't a better option available in the UK to show that cybersecurity is being taken seriously, and that the basic controls are in place to protect customer data.
What’s New in the April 2026 Release
For 2026 IASME has issued a new question set called “Danzell” (the previous set was called “Willow”) which is used for certifications from 28th April. There is also a new version of the accompanying “NCSC Requirements for Infrastructure” document which is now at Version 3.3. According to this document there are six changes; two definition amendments, and four clarifications to the scheme.
The changes are as follows:
“Cloud service” now has its own definition, basically as a hosted service accessed via the Internet.
The definition for “Passwordless authentication” now includes a reference to FIDO2, which is an authentication standard used by various types of devices such as phones, laptops and security keys.
An even-clearer statement that cloud services must be included in the scope of an assessment has been added, via a clarification that this means they cannot be excluded.
A reference to the NCSC’s Software Security Code of Practice has been added. This sets out a total of fourteen principles across four themes concerned with the software development process. Previously the OWASP standards were referenced.
References to “untrusted connections” have been removed from the Scope section.
Guidance about backing up your data has been moved from a “Further Guidance” section at the end to a more prominent place in the document, although the guidance is basically the same.
These are very much tweaks, and the structure and essence of the standard remains as before.
What's New in the CertiKit Toolkit
In toolkit terms, although the update to the standard is relatively minor, we have taken the opportunity to perform a general review of the documents included, updating them where appropriate, for example to reflect the recent UK Data (Use and Access) Act of 2025. We have added more definition around privileged access by adding a new process document, and made changes to the supporting spreadsheet.
