Contact Support Contact Us

From today, the updated Cyber Essentials requirements explicitly include cloud services in scope — and this applies to both Cyber Essentials (the self-assessment) and Cyber Essentials Plus (the technical audit). If your organisation runs on Microsoft 365, Google Workspace, AWS, or Azure, this change applies to you at whichever level of certification you hold or are pursuing.

One requirements document, two certification levels

It’s worth being precise about how the scheme works. Cyber Essentials and Cyber Essentials Plus share the same underlying requirements document (now at version 3.3). CE is a self-assessed questionnaire against those requirements; CE+ is a hands-on technical audit that verifies the controls declared in the CE self-assessment are actually in place.

The cloud scoping change therefore flows through the entire scheme. You can no longer exclude cloud services from scope at either level. If your organisation’s data or services are hosted on cloud platforms, those platforms must be included in your assessment — full stop.

What’s changed

The updated requirements introduce a clear definition of a cloud service for the first time: an on-demand, scalable service hosted on shared infrastructure, accessible via the internet, accessed via an account, and storing or processing data for your organisation. This is deliberately broad and will capture M365, Google Workspace, AWS, Azure, and most similar platforms without ambiguity.

The most operationally significant change is that multi-factor authentication (MFA) is now mandatory across all cloud services where it is available. This applies whether MFA is native to the service, available via a connected tool, or offered as a paid add-on. No MFA means an automatic fail at the CE self-assessment stage — before a CE+ auditor even arrives.

Beyond MFA, assessors will verify the following controls across your cloud estate:

  • Firewalls and boundary controls
  • Secure configuration of cloud services and devices
  • User access controls and least-privilege principles
  • Security update and patch management

Why it matters

Cyber Essentials certification is increasingly a baseline requirement for government contracts, supply chain onboarding, and client assurance programmes. With cloud now explicitly in scope at both CE and CE+ level, organisations that previously treated cloud platforms as peripheral to their certification now need to reassess that position.

For cloud-first businesses — those with little or no on-premise infrastructure — this update makes the scheme genuinely relevant in a way it arguably wasn’t before. The ‘CE+ is built for on-prem’ argument is no longer valid.

What CE and CE+ don’t tell you

Both certifications test whether fundamental controls are in place. They don’t assess whether your cloud security posture is mature, or whether your development, cloud operations, security, and GRC teams are operating to a consistent set of priorities.

Many organisations pass CE or CE+ while carrying meaningful strategic gaps in their cloud security. The certifications are a necessary starting point — not a complete picture of your risk exposure.

How Calligo can help

We work with organisations to address both the compliance requirement and the broader security posture question.

Same-day Microsoft 365 assessment

We can assess your M365 tenant, deliver a detailed findings report, and provide a prioritised remediation plan — all within the same day. For organisations that need to move quickly ahead of a contract requirement or client request, this removes the usual weeks-long wait for a consultant’s report.

CE and CE+ readiness review

Before committing to a formal audit, it’s worth identifying exactly where the gaps are. Our readiness work gives you a clear view of what needs to be addressed — at whichever certification level you’re targeting — so the formal assessment becomes a confirmation rather than a discovery exercise.

Cloud security posture assessment

For organisations that want to go beyond CE and CE+ and understand their cloud security maturity more broadly, we offer a structured assessment across the key domains of cloud security. This is cloud and tool agnostic — relevant whether you’re running primarily on Microsoft, AWS, Google, or a mix of all three.

If the updated requirements have raised questions about where your organisation stands, we’re happy to have a conversation. Get in touch with the Calligo team.

Related

View all
Demystifying EU Regulations: DORA and NIS2 – What They Mean for Your Business article thumbnail

Insights

Blog

Demystifying EU Regulations: DORA and NIS2 – What They Mean for Your Business

7 min read

29 Nov 2024
Requirements Gathering for Analytics Projects article thumbnail

Insight

Glossary

Requirements Gathering for Analytics Projects

12 min read

4 Sep 2024

nick mishko

By Nick Mishko
A different reason data science models fail and an ROI-first approach article thumbnail

Blog

Blog

A different reason data science models fail and an ROI-first approach

7 min read

18 Jan 2024

By Tessa Jones