ITogether is proud to hold both Cyber Essentials and ISO 27001 certification – the world’s leading standard for information security.

What is changing in April 2026 for Cyber Essentials ?

As of 27 April, Cyber Essentials will be updated to the new “Danzell” question set introducing some additional requirements. 

𝗞𝗲𝘆 𝗰𝗵𝗮𝗻𝗴𝗲𝘀 𝗶𝗻𝗰𝗹𝘂𝗱𝗲:

𝗠𝗮𝗻𝗱𝗮𝘁𝗼𝗿𝘆 𝗠𝗙𝗔: Services must have MFA enabled if available; failure to do so is now an automatic fail.

𝗖𝗹𝗼𝘂𝗱 𝗶𝘀 𝗙𝘂𝗹𝗹𝘆 𝗶𝗻 𝗦𝗰𝗼𝗽𝗲: Any cloud service (SaaS, PaaS, IaaS) that processes or stores company data and is accessed via a business email/account is in scope. It cannot be excluded.

𝟭𝟰-𝗗𝗮𝘆 𝗣𝗮𝘁𝗰𝗵𝗶𝗻𝗴: The non-patching of High-risk and critical security updates within 14 days is now an automatic failure.

𝗥𝗲𝗺𝗼𝘁𝗲 𝗪𝗼𝗿𝗸𝗲𝗿 𝗙𝗼𝗰𝘂𝘀: The scope broadens from “home workers” to “remote workers” (including cafes/hotels) to cover all off-site devices.

𝟭𝟮-𝗠𝗼𝗻𝘁𝗵 𝗗𝗲𝗰𝗹𝗮𝗿𝗮𝘁𝗶𝗼𝗻: A senior official must sign a declaration promising to maintain compliance throughout the entire 12-month certification period.

𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝗹𝗲𝘀𝘀 𝗮𝘀 𝘁𝗵𝗲 𝗚𝗼𝗹𝗱 𝗦𝘁𝗮𝗻𝗱𝗮𝗿𝗱: The update recognises and encourages methods such as passkeys, biometrics and FIDO2 hardware tokens. ITogether suggest Yubikey.

𝗙𝗼𝗰𝘂𝘀 𝗼𝗻 𝗕𝗮𝗰𝗸𝘂𝗽 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲: While backups are still technically guidance, the framework elevates their importance with a focus on ensuring they are offline and/or immutable. Of course they should also be tested frequently for recovery.

If you want a Network & Cybersecurity partner whose practices are independently verified to global standards, talk to us today. Let’s keep your organisation running securely and seamlessly.

📞 UK +44 (0) 113 341 0123

📞 NZ +64 (0)9 802 2444

📧 hello@itogether.com