As of 24 January 2022, software updates need to be applied within 14 days of release, where the update fixes address vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ or where no level of vulnerabilities is provided by the vendor, or where the fixes address vulnerabilities with a CVSS v3 score of 7 or above.
For password-based authentication in Internet-facing services, you must:
- Protect against brute-force password guessing by using at least one of the following methods:
- Lock accounts after no more than 10 unsuccessful attempts
- Limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
- What is the required Cyber Essentials password policy?
- Set a minimum password length of at least 8 characters and use automatic blocking of common passwords via a deny list
- Set a minimum password length of at least 12 characters
- Use multi-factor authentication
- Not set a maximum password length
- Change passwords promptly when you know or suspect that you have been compromised
- Implement a password policy that tells users:
- How to avoid choosing obvious passwords (such as those based on easily discoverable information like the name of a favourite pet)
- Not to choose common passwords — this could be implemented by technical means, using a password deny list
- Not to use the same password anywhere else, at work or at home
- Where and how they may record passwords to store and retrieve them securely (for example, in a sealed envelope in a secure cupboard), whether they may use password management software, which software, and how to use it
- Which passwords they must memorise.
You are NOT required to:
- Enforce regular password expiry for any account (we actually advise against this)
- Enforce password complexity requirements.
I would like to thank URM’s assessor for such a pleasurable experience of going through an assessment! He made the whole experience pain free, clear, and transparent, and enjoyable. Also grateful for the expert guidance our URM Account Manager provided to us.
Digital solutions provider
Get practical guidance on preventing common cyber-attacks
Get practical guidance on how to prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification, and protect your organisation against these attacks.
Find out more
related BLog
Cyber Essentials Questions Answered: Technical Requirements, BYOD Compliance and the Future of the Scheme
Published on
3 Sep
2025
URM’s blog answers key questions about CE, focusing specifically on its technical requirements, use of BYOD, and how the scheme may change in the future.
Read more
Cyber Security
Published on
29/8/2025
Cyber Essentials: Improving Your Cyber Security as an SMEURM’s blog discusses the significant cyber security risks faced by small & medium-sized enterprises (SMEs), and how Cyber Essentials certification can help.
Read more
Cyber Security
Published on
29/8/2025
Supplementing Cyber EssentialsURM’s blog outlines the practical measures you can take following Cyber Essentials certification to further enhance your information & cyber security posture.
Read more
Cyber Security
Published on
22/8/2025
Understanding Defence Cyber Certification (DCC)URM’s blog explains what DCC is, how compliance with the scheme and the process to certification work, and the benefits to obtaining certification.
Read more
"
I just wanted to write to you to express my sincere appreciation for the outstanding work from URM’s assessor during the audit process. He demonstrated a fantastic level of knowledge and understanding, truly going above and beyond with the work that he performed, providing guidance in a communicative and enjoyable manner. It was a delight to work with him and I would be very excited to do the same again next year in our Cyber Essentials audit.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.