What are the Cyber Essentials Plus patching requirements?

As of 24 January 2022, software updates need to be applied within 14 days of release, where the update fixes address vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ or where no level of vulnerabilities is provided by the vendor, or where the fixes address vulnerabilities with a CVSS v3 score of 7 or above.

For password-based authentication in Internet-facing services, you must:

  • Protect against brute-force password guessing by using at least one of the following methods:
    • Lock accounts after no more than 10 unsuccessful attempts
    • Limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
  • What is the required Cyber Essentials password policy?
  • Set a minimum password length of at least 8 characters and use automatic blocking of common passwords via a deny list
  • Set a minimum password length of at least 12 characters
  • Use multi-factor authentication
  • Not set a maximum password length
  • Change passwords promptly when you know or suspect that you have been compromised
  • Implement a password policy that tells users:
    • How to avoid choosing obvious passwords (such as those based on easily discoverable information like the name of a favourite pet)
    • Not to choose common passwords — this could be implemented by technical means, using a password deny list
    • Not to use the same password anywhere else, at work or at home
    • Where and how they may record passwords to store and retrieve them securely (for example, in a sealed envelope in a secure cupboard), whether they may use password management software, which software, and how to use it
    • Which passwords they must memorise.

You are NOT required to:

  • Enforce regular password expiry for any account (we actually advise against this)
  • Enforce password complexity requirements.
Cyber security has never been higher on our agenda. We’re very pleased to have gained our Cyber Essentials Plus Certification. We are committed to providing the most secure and robust solutions to our customers and partners. This certification helps to demonstrate this commitment – through independent vulnerability testing and to test the awareness of information security across our teams. We’re very pleased with the support and expertise provided by URM.
Speech recognition software provider
Apply for Cyber Essentials certificationApply for Cyber Essentials Plus

Lexcel: Deconstructing Your Information Management and Security Policy

Published on
16 Jun
2025

URM explains each control law firms must include in an information management and security policy that complies with the Lexcel Practice Management Standard.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
6/6/2025
Understanding Lexcel and the Specialist Quality Mark (SQM): How Cyber Essentials Can Benefit Your Practice

URM’s blog explores how Cyber Essentials can help your legal practice enhance its security posture and achieve/maintain its SQM or Lexcel accreditation.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
28/5/2025
Complying with Cyber Essentials and Cyber Essentials Plus

URM’s blog answers key technical questions about Cyber Essentials and Cyber Essentials Plus, what’s in scope, CE compliant use of BYOD, and more.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
12/5/2025
Mitigating Cyber Risks: Why Cyber Essentials Matters More Than Ever

URM’s blog highlights the growing threat to cyber security in the UK and the importance of the Cyber Essentials scheme in mitigating these risks.

Read more
"
We are delighted to partner with URM Consulting on a wide range of information and cyber security projects and service solutions. Working with URM Consulting has proved to be extremely successful, with them consulting / advising clients and then utilising our SMART Services. These are specifically aimed at supporting organisations to achieve Detection, Compliance & Response (DCR) to support Digital Transformation outcomes. In addition, we have achieved Cyber Essentials certification with URM and are now partnering on ISO 27001 and Cyber Essentials Plus projects. We have been impressed by the breadth of URM’s governance, risk, compliance and technical expertise along with their holistic, pragmatic and tailored advice.
Specialised Managed Service Partner
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.