As of 24 January 2022, software updates need to be applied within 14 days of release, where the update fixes address vulnerabilities described by the vendor as ‘critical’ or ‘high risk’ or where no level of vulnerabilities is provided by the vendor, or where the fixes address vulnerabilities with a CVSS v3 score of 7 or above.
For password-based authentication in Internet-facing services, you must:
- Protect against brute-force password guessing by using at least one of the following methods:
- Lock accounts after no more than 10 unsuccessful attempts
- Limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
- What is the required Cyber Essentials password policy?
- Set a minimum password length of at least 8 characters and use automatic blocking of common passwords via a deny list
- Set a minimum password length of at least 12 characters
- Use multi-factor authentication
- Not set a maximum password length
- Change passwords promptly when you know or suspect that you have been compromised
- Implement a password policy that tells users:
- How to avoid choosing obvious passwords (such as those based on easily discoverable information like the name of a favourite pet)
- Not to choose common passwords — this could be implemented by technical means, using a password deny list
- Not to use the same password anywhere else, at work or at home
- Where and how they may record passwords to store and retrieve them securely (for example, in a sealed envelope in a secure cupboard), whether they may use password management software, which software, and how to use it
- Which passwords they must memorise.
You are NOT required to:
- Enforce regular password expiry for any account (we actually advise against this)
- Enforce password complexity requirements.
We want to pass on our thanks to our URM assessor for helping us with the assessment. He made it really very straightforward for us during the remote sessions and during the follow ups to understand what we needed to do to remediate the issues and obtain the certification. He understood our setup and gave us relevant advice, it was a pleasure working with him.
Engineering company
Get practical guidance on preventing common cyber-attacks
Get practical guidance on how to prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification, and protect your organisation against these attacks.
Find out more
related BLog
NHS Cyber Security Open Letter: What Does it Mean for Suppliers?
Published on
16 Feb
2026
URM’s blog explains the recent open letter to suppliers issued by the NHS, what it means, why it matters, and the practical steps you can take to prepare.
Read more
Cyber Security
Published on
19/1/2026
Minimising the Impact When a Breach OccursURM’s blog explores the importance of cyber resilience & the steps organisations can take to prepare for and mitigate the impact of a cyber incident.
Read more
Cyber Security
Published on
9/1/2026
Strengthening Your Cyber Defences: Practical Steps for Every BusinessURM’s blog explores common weaknesses in organisations’ security programmes, & outlines practical, cost-effective measures to reduce the likelihood of a breach
Read more
Cyber Security
Published on
18/12/2025
Deconstructing the EU Cyber Resilience ActURM’s blog breaks down the new EU Cyber Resilience Act, what products/entities are in scope, the security requirements it imposes on organisations, and more.
Read more
"
We engaged URM to help us on our journey to achieve Cyber Essentials Plus. From the outset the engagement with URM was excellent. The online portal made the CE assessment seamless. The assessors were professional and courteous and went above and beyond to help us through the process.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.