A Plain English Guide to Cyber Essentials Plus V3.3 

Quick summary 

• Cyber Essentials Plus V3.3 removes the “fix it during the audit” safety net. If a control is missing on assessment day, you fail.   
• Multi-factor authentication must protect every cloud service, and high-risk vulnerabilities must be patched within fourteen days.   
• The scheme has widened to cover hybrid working, identity, modern device fleets and third-party SaaS. 
• Incorporating Cyber Essentials into an ongoing strategy turns the certificate into a by-product, not a task. 

The Evolution of Cyber Essentials Plus 

Cyber Essentials began in 2014 as a clear, government-backed way to prove five security basics: protect devices, secure configuration, control access, keep systems updated and reduce exposure to malware.  

The Cyber Essentials badge acts as a seal of approval, which is increasingly being driven by customers. With Zero Trust being the benchmark in the cyber security landscape, customers now want verification that their suppliers, contractors and partners are not just diligent but can prove it. 

In the latest update (V3.3), the principles remain the same, but with AI, cloud services, remote work and a surge in cyber-attacks, the world we live in now makes 2014 look like ancient history. 

To stay relevant, the industry standard must follow real-world risk, which is why Cyber Essentials Plus has been updated roughly every year since launch. V3.3, nicknamed Denzell, is simply the latest, and strictest, step in that journey.   

V3.3 Changes: At a Glance 

Historically, businesses would prepare for Cyber Essentials Plus, review their environment and enter the assessment expecting to meet the requirements.  

There was a level of reassurance that if something unexpected appeared, a missed update, a configuration issue, or a device that needed attention, there was often an opportunity to remediate and re-test.    

That safety net has now gone!  

Cyber Essentials Plus is increasingly becoming exactly what it was designed to be, a validation that your cyber controls are already implemented and working, and not a final stage of remediation. 

Examples of this stricter expectation from Cyber Essentials Plus include: 

• Cloud infrastructure, storage and SaaS. Strict access controls, audit-friendly records, tools to prevent unauthorised access and assigned management roles are all expected.  
• MFA for every user. Single-password sign-ons are an automatic failure. MFA and Passkeys (where available) are the new norm.   
• Shared user credentials are out. Every login must have a digital user trail, reporting who accessed a service and which actions they took.  
  • Users should authenticate using their own accounts, with appropriate access permissions, MFA controls and monitoring in place. 
• High or critical vulnerabilities have a fourteen-day patch window. The rule existed before, but it now triggers an instant failure instead of a warning.   
• Live evidence is required. Screenshots, logs and test results must exist alongside policy documents and statements.   

None of these ideas are new, yet the bar has lifted from a list of improvements to a hard pass / fail. 

V3.3 Plugs the Digital Gaps 

Most organisations own the right tools: firewalls, device protection, Microsoft security capabilities, identity controls, backup solutions, monitoring tools and more. 

But technology alone does not guarantee security. Security gaps often appear when those tools are not fully configured, consistently monitored, updated and maintained. 

The challenge is knowing those controls are working across the entire business, not just assuming they are. 

Trustco’s engineers see this a lot. Examples of the blind spots we see from supporting our customers include: 

• Devices that are still active but are not properly managed or reporting correctly 
• Old user, test or supplier accounts that still have access but are not being reviewed 
• Cloud applications being used without appropriate visibility or controls 
• Security updates that fail or are missed because there is no clear view of compliance 

Individually, each of these seems minor, but if exploited, they can lead to a major incident. 

 Cyber Essentials V3.3 continues the move towards evidence and accountability.

Visibility and Responsibility 

A modern IT estate changes hourly. New employees arrive, contractors depart, data moves across the cloud and SaaS apps multiply. If you cannot see every asset, you cannot prove it meets the controls. To think about meeting the new Cyber Essentials Plus standards, ask yourself these types of questions:  

• Do you know who has access to your cloud services? 
  • Is that access still required? 
  • Is access secured with MFA? 
• How are administrator privileges controlled, reviewed and monitored? 
• Can you demonstrate security updates are being identified, deployed and successfully applied? 
• Do you understand which systems and services your organisation relies on?  
  • Who has access to them? 
  • What plan do you have if these systems are compromised? 
• How do you monitor and report on all of the above? 

Answering these in a Cyber Essentials-friendly manner relies on unified reporting, with multiple data sources pulled into a single system, not spreadsheets and emails.  

Continuous discovery, live vulnerability data and real-time identity analytics bring the answers together, every day, not just audit day. 

Think “Everyday Security” not “Audit Deadline Day” 

Customers, insurers and regulators all want evidence that controls run 365 days a year. Waiting for the auditor to highlight gaps, then racing to patch, no longer satisfies them. We encourage teams to replace the old question “Can we fix what appears in the report?” with “Would we pass if the test happened this morning?”  

That mindset flips Cyber Essentials from an event into a warning light that should never turn red. 

Keep the Cyber Essentials Warning Light Green, with Trustco 

At Trustco, we understand the Cyber Essentials Plus journey because we have been through the process ourselves and continue to do so. As a Cyber Essentials Plus certified organisation, we understand both the technical requirements and the operational challenges involved in maintaining good cyber hygiene. 

We help customers prepare before assessment day by supporting areas including: 

• Cyber Essentials Plus readiness reviews and Gap Analysis  
• Internal and External Pen Testing 
• Microsoft 365 security and Identity Configuration 
• MFA Controls, and Privilege Controls  
• Device management with Microsoft Intune and Entra 
• Device discovery, visibility and management 
• Vulnerability Scanning, Prioritisation and Patch management 
• Immutable Backups and Recovery, and Cyber Resilience Planning 
• Managed Detection and Response, SOC and Instant Response Services 

Cyber security is not always about buying yet another tool. Trustco can help you identify the gaps before they become problems. Let us help you become Cyber Essentials Plus V3.3 ready and maintain those standards beyond assessment day.  

If you need support meeting the standards of Cyber Essentials Plus, contact Trustco today.