Cyber Essentials is evolving once again, with a new set of certification questions set to take effect on April 28, 2025. These updates reflect ongoing efforts to keep businesses secure amid changing technology and working practices.
While we’re still awaiting full details, one update stands out: home routers will now fall within the scope of Cyber Essentials assessments. This could have significant implications for businesses that rely on remote workers.
What’s Changing?
The upcoming updates will introduce several key changes, including:
- Scope clarification – More precise guidance on what must be included in the assessment.
- Firewall management – All firewalls and routers must be listed, and home/remote routers must have software firewalls enabled.
- Password management – Strengthened best practices for secure configurations.
- Vulnerability fixes – Terminology updates to emphasize the importance of timely security patches.
Why Home Routers Matter
The inclusion of home routers raises an important question: How can businesses enforce security policies on devices they don’t own? With remote work more common than ever, this change could require businesses to set stricter policies, provide approved routers, or find ways to enforce compliance on personal devices.
If your business relies on remote workers, now is the time to start thinking about how this might affect your security strategy. Will you need to issue company-approved routers? Implement monitoring tools? Revise your remote work policy?
As more details emerge, businesses should prepare for potential challenges in balancing security and employee privacy. Stay tuned for further updates as we learn more about how these changes will be implemented.
Update : we have had clarification on this. If your organisation gives the home/remote worker a router, then it is in scope. All other routers are out of scope, but will require firewall controls.
While this means businesses will not be pushed into having to enforce security protocols on employees’ equipment, it does beg the question as to whether it results in a weak point in the business infrastructure, in what is an increasingly a common situation.
