This blog outlines the annual updates to the Requirements for IT Infrastructure document, which serves as the standard for achieving Cyber Essentials certification. It also contains essential new information about changes to the assessment framework.

The National Cyber Security Centre (NCSC) has now added further adjustments to the certification process, marking scheme, and Cyber Essentials Plus assessment methodology. It is important to understand and implement these changes to ensure compliance with the updated requirements. If you’re preparing for certification or recertification, it’s vital to review these updates carefully.

Each year, IASME collaborates closely with the NCSC to review feedback from across the scheme, analyse findings from breach investigations, and evaluate insights gained from audits conducted by the IASME team. These inputs form the foundation of the annual review process, which informs updates to the scheme requirements, assessment question set, methodology, and marking criteria. Our goal is to complete this review and implement updates as early as possible, ensuring organisations have sufficient time to prepare for any changes. In November 2025, we published the NCSC’s updates to the Requirements for Infrastructure document, including the introduction of an ‘auto-fail’ policy for not implementing Multi-Factor Authentication (MFA) where it is available.

Since then, additional factors have been identified through IASME’s ongoing audit processes. While these findings have not necessitated further changes to the Requirements for Infrastructure document, they have prompted NCSC to make updates to the operation of the scheme. The details of these changes are outlined below and will take effect in April 2026.

The changes to the scheme will apply to all assessment accounts created after April 27, 2026. Any organisation with an active assessment account created before this date will have 6 months to attain certification using the previous version of the requirements.

What are the upcoming changes to Cyber Essentials?

The April 2026 updates to the Cyber Essentials scheme aim to address challenges faced by organisations and Assessors, resolve areas of ambiguity, and ensure that the scheme continues to provide robust assurance against cyber threats.

Many of these updates were announced in November 2025. However, newly announced changes are highlighted below with the grey background.

Changes to the marking criteria

One of the most notable updates to the scheme is the implementation of stricter marking criteria for questions that address critical practices, such as enabling multi-factor authentication and implementing timely security updates across the entire scope. Failure to meet the required standards will result in an automatic failure of the assessment. This emphasis brings the Cyber Essentials scheme into alignment with the NCSC’s recommended best practice.

Multi-factor authentication (MFA) will now be a mandatory requirement for all cloud services where it is available. Organisations that fail to implement MFA for cloud services whether it is free, included, or a paid option will automatically fail the assessment. This change underscores the critical role of MFA in protecting systems and highlights the importance of adopting strong authentication measures. Read more here.

Additionally, two new questions related to security update management will be designated as ‘auto-fail’ questions. These questions address the timely installation of high-risk or critical security updates and vulnerability fixes for operating systems, router and firewall firmware, and applications (including associated files and extensions). Specifically:

A6.4: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

A6.5: Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

Non-compliance with either of these questions will result in an automatic failure of the assessment, regardless of performance in other areas. This change is intended to address instances where the delay of critical updates, leaves systems vulnerable to exploitation.

Improved scope definition and certification transparency

Defining and reviewing the scope of an assessment has been a persistent challenge, particularly for larger organisations with complex structures. To address this, the following changes will be introduced:

1. Unlimited scope descriptions: Organisations will no longer be limited to a brief scope description on their certificates. Instead, they will be able to provide a detailed scope description, which will be available to view via the digital certificate platform.
2. Out-of-scope areas: Organisations will be required to describe any areas of their infrastructure that are excluded from the scope. This information will not be made public.
3. Legal entity identification: Organisations will need to specify all legal entities included within the scope of the assessment, providing details such as the entity’s name, address, and company number. All legal entities included in scope can be viewed on the digital certificate platform.
4. New certificate types: You will be able to request an individual Cyber Essentials certificate for every legal entity certified as part of a larger scope but it will be clear that the certification is part of the wider scope. There will be a small charge for these additional certificates.

These changes aim to improve transparency, reduce ambiguity, and ensure that the scope of an assessment is clearly defined and accurately represented.

Clarification of ‘point in time’

Cyber Essentials is a ‘point in time’ assessment, but there has been confusion about what this term refers to. To address this, the scheme will explicitly state that the ‘point in time’ is the date the certificate is issued. Organisations will need to ensure that their systems are supported at the date of certification.

Signed declaration and ongoing compliance

The declaration signed by a board member or director as part of the verified self-assessment (VSA) process will be updated to include a statement acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period. This change reinforces the importance of ongoing compliance and ensures that organisations remain committed to maintaining robust cyber security measures.

Changes to the Cyber Essentials Plus (CE+) assessment

The Cyber Essentials Plus (CE+) assessment provides a higher level of assurance by including a technical audit of an organisation’s cyber security measures. The April 2026 updates introduce several changes to enhance the CE+ process and align it more closely with the verified self-assessment VSA.

Verification of update management compliance

Recent audits have revealed instances of organisations ‘applying selective updates’ during the Cyber Essentials Plus (CE+) assessment process. Specifically, when updates are identified as necessary during the CE+ audit, a small number of organisations have only applied these updates to the devices included in the sample being tested, rather than implementing them across their entire CE+ scope. As a result, these organisations have passed the CE+ assessment despite failing to address vulnerabilities across their broader environment.

To address this issue, the CE+ assessment process for update management will be revised. If an organisation fails the initial test of a random sample of devices, they will be required to remediate the issues and undergo a retest. During the retest, the Assessor will not only recheck the original sample, but will also test a new random sample of devices to ensure compliance across the wider environment. This change is designed to prevent organisations from selectively updating only the tested devices and to ensure that all required updates are applied consistently across the entire CE+ scope. It is important to note that a second failure will result in a revocation of the verified self-assessment certificate.

Prohibition of adjustments to the verified self-assessment post-CE+ testing

To maintain the integrity of the certification process, organisations will no longer be allowed to adjust their verified self-assessment (VSA) responses based on the results of the CE+ assessment. The scheme’s Terms and Conditions will be updated to explicitly require that the VSA must be completed, finalised, and remain unchanged prior to the commencement of CE+ testing.

Additional updates to the Requirements Document

The Cyber Essentials Requirements for IT Infrastructure v3.3 will include several updates to improve clarity and guidance:

Cloud services definition: A clear definition of cloud services has been added to eliminate ambiguity about what constitutes a cloud service.

Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation or an email address used for business purposes) and will store or process data for your organisation.

If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.

• Improved scoping requirements: The terms ‘untrusted’ and ‘user-initiated’ have been removed as qualifiers for internet connections, simplifying the scoping criteria. Organisations will also need to justify any exclusions from the scope and explain how excluded networks are segregated from in-scope systems.
• Application development: The ‘web applications’ section has been renamed ‘application development’ and now references the UK Government’s Software Security Code of Practice. Publicly available commercial web applications are in scope by default, while bespoke and custom components are out of scope.
• Guidance on Backups: Guidance on Backups: The guidance on backups has been repositioned earlier in the document to emphasise their importance in enabling organisations to recover quickly from cyber incidents.
• User Access Control: The user access control section has been updated to highlight the importance of passwordless authentication methods, such as passkeys, which offer a more secure alternative to traditional passwords.

For more details, refer to the updated Cyber Essentials Requirements for IT Infrastructure v3.3, which will apply to all applications registered after April 27, 2026.

For more on how Cyber Essentails works, please 📧 contact us for more information

The Cyber Essentials scheme is built around five core technical controls designed to protect organisations from the most common cyber threats. Each year, the National Cyber Security Centre and IASME review these requirements to ensure they remain relevant. The next update goes live in April 2026, with six months’ notice for organisations to prepare. Cyber Essentials Requirements for IT Infrastructure v3.3 will apply to all assessment accounts created after 27 April 2026.

Key points

• Stronger focus on passwordless authentication and MFA.
• Minor changes to the requirements document.
• Clearer definitions, especially around cloud services.
• Simplified scoping rules.
• Updated guidance for application development.
• Backup guidance moved earlier for emphasis.

What matters most

The most significant update is to the marking criteria: multi-factor authentication (MFA) becomes mandatory wherever available. If a cloud service offers MFA—free or paid, and it is not enabled, the assessment will automatically fail. This change reflects the increasing importance of MFA in preventing account compromise.

The user access control section has been updated to place greater emphasis on passwordless authentication and multi-factor authentication (MFA). Passkeys in particular offer an easier, faster and more secure way to log in and the NCSC would like to see them become the default authentication recommendation.

Definitions have also been tightened. A clear definition of “cloud service” is now included, and cloud services can no longer be excluded from scope. Scoping language has been simplified so any in-scope device connected to the internet is included, regardless of connection type. Applicants excluding networks will need to justify why and explain how segregation is enforced.

The “web applications” section is now “application development” and aligns with the UK Government Software Security Code of Practice. Backup guidance has been moved to highlight its importance.

The full v3.3 requirements will apply from 27 April 2026, with the new question set released by February 2026.

UPDATED INFORMATION HERE

For more on how Cyber Essentails works, please 📧 contact us for more information

I have just spent the week with Felix who led us through a deep dive into the world of IoT security. It wasn’t just theory – it was hands-on, practical, and exactly the kind of learning that sticks.

We pulled a thing to bits to get to the bits – breaking down each stage from understanding electronics to extracting and analysing firmware. We got to grips with the tools and techniques used to bypass anti-tamper protections, many of which are far less effective than manufacturers would like to believe.

As someone who used to take things apart as a kid just to see how they worked (and usually got told off for it), this course hit the spot. If you’re the same – curious, technical, and always asking how does this actually work? – then you’ll love it.

Highly recommended for anyone serious about hardware hacking, reverse engineering, or just unlocking that next level of cyber knowledge.

Check out the next dates on YGHT Courses page

The latest exploitation trends report from VulnCheck is a wake-up call. Attackers aren’t hanging around — they’re jumping on newly disclosed vulnerabilities almost as soon as they’re published. If your patching process is slow, you’re basically leaving the door wide open.

This is exactly why the NCSC’s Cyber Essentails scheme — especially its 14-day patching rule — is more important than ever.

What the VulnCheck Report Says

• 159 known exploited vulnerabilities (KEVs) reported in Q1 2025.)
• Almost 30% were under attack within 24 hours of being disclosed.
• The usual suspects are being hit hardest:
  • Content Management Systems
  • Network Edge Devices
  • Operating Systems
• Top vendors affected:
  • Microsoft Windows
  • VMware
  • Cyber PowerPanel

The takeaway? Attackers aren’t targeting obscure kit — they’re going after the stuff most of us use every day.

Where Cyber Essentials Fits In

Cyber Essentails isn’t about ticking boxes — it’s about getting the basics right so you’re not the easy target. Here’s how it helps:

• Secure Configuration: Shut down unnecessary services, harden your systems.
• Patching (The Big One):
  • Critical and high-risk updates must be applied within 14 days.
  • That includes OS, firmware, and any third-party apps where there’s a known exploit.
  • With VulnCheck showing exploits popping up within a day, 14 days isn’t just a nice-to-have — it’s the minimum to stay in the game.
• Access Control: Only give people access to what they actually need.
• Malware Protection: Basic defence against malware doing the rounds.
• Firewalls and Gateways: Keep the bad stuff out, especially at the network edge (which, by the way, is one of the top targets right now).

Why You Can’t Ignore the 14-Day Rule

The data’s clear: the gap between “vulnerability published” and “exploit in the wild” is getting smaller all the time. The longer you wait to patch, the higher the risk.

The 14-day rule in Cyber Essentials isn’t about red tape — it’s about giving attackers less time to hit you.

Bottom Line

Don’t make it easy for them. Patch early, patch often. If you’re not patching fast enough, you’re giving attackers the upper hand. Cyber Essentials is designed to reduce that risk. It helps you cover the basics that attackers rely on you getting wrong.

For more on how Cyber Essentails works, please 📧 contact us for more information

It might be over 10 years old but Cyber Essentials is always being reviewed to keep pace with technology and best practice. The next update to Cyber Essentials will be version 3.2 (Willow) will take effect from 28 April 2025. This means all applications started on or after this date will use the new requirements and questions set. For more information please read IASME’s blog on their website.

This version not much has really changed, the core requirements stay the same, it is mostly some tidying of language and definitions. So for most SME’s who are all ready doing Cyber Essentials there is nothing to worry about. Those who sub-set their scope there is now an extra verification test for the plus assessment.

Key Changes

• Under software, the term ‘plugins’ has been changed to ‘extensions’ for improved accuracy.
• References to ‘home working’ has been changed to ‘home and remote working’.
• Passwordless technology is now included in Cyber Essentials and is defined in the same way as multi-factor authentication, “passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“
• The description that used to be ‘patches and updates’. will be changed to ‘vulnerability fixes’ as an umbrella term for all the different methods.
• When the Cyber Essentials self-assessment scope is not ‘whole organisation’, it must be verified by the Assessor that any sub-sets have been segregated correctly (extra physical test)
• All verification evidence must be retained by the Certification Body for the lifetime of the certificate

NCSC documents are available from below

• https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-2.pdf 
• https://www.ncsc.gov.uk/files/cyber-essentials-plus-test-specification-v3-2.pdf

If your business requires Cyber Essentials or you would like to know more, please 📧 contact us for more information

Winget (Windows Package Manager) is a command-line tool that allows you to install, update, and manage applications on Windows easily. It has been around for a few years now, but many IT admins do not know it exists or how it can be intergrated into day to day admin tasks for FREE.

This guide covers the basics of using Winget to update applications and automate routine tasks.

Installing Winget

Most modern Windows 10 and 11 versions come with Winget preinstalled. To check if Winget is available, run the following command in PowerShell or Command Prompt:

winget --version

If it’s not installed, download it from the Microsoft Store or install it via PowerShell.

For a list of applications that can be installed/updated by Winget check the Winget pkgs Github

Updating Installed Applications

For a list of upgradable apps:

winget upgrade

To update a single application, use:

winget upgrade "App ID"

To update all applications at once:

winget upgrade --all

To force update all apps without prompts:

winget upgrade --all --silent --accept-package-agreements --accept-source-agreements

Installing Applications

To install a new application:

winget install "App Name"

For a silent installation without prompts:

winget install "App Name" --silent --accept-package-agreements

Automating Winget Tasks with Scripts

You can automate Winget tasks using PowerShell scripts. For example, to update all applications daily:

1. Open Notepad and enter the following script:

winget upgrade --all --silent --accept-package-agreements --accept-source-agreements

1. Save it as update-winget.ps1.
2. Open Task Scheduler and create a new task:
   • Set it to run daily.
   • Choose Start a Program and select powershell.exe as the program.
   • Add -ExecutionPolicy Bypass -File "C:\path\to\update-winget.ps1" as arguments.

This ensures applications stay up to date automatically. That script could also be deployed via inTune

Exporting and Importing Installed Apps

To export a list of installed applications (could be used to baseline a build to make rolling out apps easy):

winget export -o apps.json

To reinstall apps from the list:

winget import -i apps.json

Conclusion

Winget simplifies software management on Windows, allowing you to update, install, and automate tasks with ease. By integrating it with scripts and Task Scheduler, you can maintain your applications effortlessly and help achieve Cyber Essentails.

Rebooting. It’s one of those things we all know we should do, but it’s easy to ignore when you’re busy. However, skipping reboots is one of the most common (and risky!) issues flagged in recent Cyber Essentials assessments.

Why Rebooting is a Big Deal

• Updates Need It: Those important security patches? Most won’t work fully until you reboot. No reboot = no protection.
• It Clears Out the Junk: A quick reboot refreshes your system, fixes little bugs, and keeps things running smoothly.
• Cyber Essentials Loves It: Rebooting isn’t just a good habit—it’s essential for meeting the Cyber Essentials standard.

What Happens if You Don’t

Imagine installing a lock on your door but not closing it. That’s what skipping a reboot is like. You’re leaving your system vulnerable, even after you’ve done the hard work of applying updates.

Make Rebooting Easy

• Set It and Forget It: Schedule automatic updates and reboots outside of work hours. Or last thing on a Friday shutdown the computer.
• Talk About It: Let your team know why reboots matter—it’s about staying secure, not being annoying.
• Track It: Use logs/reports to monitor reboots so nothing gets missed.

Rebooting might feel like a small thing, but it’s one of the easiest ways to stay safe and compliant. So next time you see that “Restart” button, don’t snooze it—click it! Your security depends on it.

If your business requires Cyber Essentials or you would like to know more, please 📧 contact us for more information

We were excited to celebrate the 10th anniversary of the world leading Cyber Essentials Scheme with the teams from NCSC and IASME this afternoon at the beautiful Cholmondeley Room at the House of Lords. It was an honour to hear from Feryal Clark MP (Parliamentary Under-Secretary of State for AI and Digital Government), who shared insights into our journey and the impact we’ve had over the past decade. We also heard from Emma Philpot MBE and business CISOs on how Cyber Essentials is being used to help provide supply chain assurance.

Cyber Essentials has significantly impacted the Cyber resilience of businesses that implement it fully. Data from insurance providers show that those companies that do Cyber Essentials reduce cyber risk by at least 92%. More can be read in the DIST Cyber Essentials Impact Evaluation

We’re so grateful for our amazing customers and their unwavering support. Back in 2014, we were among the first Cyber Essentials Assessors, and since then, we’ve seen fantastic progress with our customer base. The majority of our customers are actively embracing Cyber Essentials by implementing controls throughout the year, not just during assessment time. Your support over the last decade has been incredible, here’s to the next 10 years of stronger cyber resilience!

If your business requires Cyber Essentials or you would like to know more, please 📧 contact us for more information

IASME have published here that they are increasing the costs for Cyber Essentials from 2nd April 2024. As you will remember, the last time they raised the price was 2022, and that was for everyone except Micro companies.

This time, all prices will be raised as follows.

IASME has also increased the costs associated with being a certification body and performing plus assessments. This action, along with that of other providers, made it difficult for us to continue with the same pricing. As a result, we will be reviewing prices and making some adjustments to future plus assessment costs.

This will mean an increase in costs for Cyber Essentials/Plus for all customers.

Orders placed and paid for in March will be at the old pricing. Any outstanding quotes will also be reviewed from March.

📧 Contact us for more information

The Government approved Cyber Essentials scheme includes five technical controls that help protect organisations of all sizes from the majority of commodity cyber attacks. The Cyber Essentials certification badge signals to customers, investors and those in the supply chain that an organisation has put the Government approved minimum level of cyber security in place and can be trusted with their data and business.

A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape. The evolution of Cyber Essentials allows UK businesses to continue raising the bar for their cyber security.

On 23rd January, the NCSC publishes an updated set of requirements, version 3.1 for the Cyber Essentials scheme which will come into force on the 24th April 2023. The ‘Montpellier’ question set will replace Evendine. Additionally, the grace periods for some of the requirements from the 2022 update will end on 24th April.

Any assessments that began before 24th April, will continue to use the requirements version 3.0 with the Evendine question set.

This includes any assessment accounts created before 24th April.

This year, the changes to the scheme are as follows:

The definition of ‘software’ has been updated to clarify where firmware is in scope

Software includes operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software and firewall and router firmware. Why the change? Firewall and router firmware is the operating system of those devices. As firewalls and routers are key security devices, their operating systems and whether they are kept up to date is extremely important from a security perspective. And another thing… Cyber Essentials will require that all applicants list their laptops, desktops, servers, computers, tablets and mobile phones, with details of the make and operating system. However, when it comes to firewalls and routers, the applicant will only be asked to list make and model, but not the specific version of the firmware. By asking for the make and model on these devices, the Assessor will be able to determine if the devices is still receiving security updates to the firmware.

Asset management is important in Cyber Essentials

In a similar vein to backing up data, asset management isn’t a specific Cyber Essentials control, but it is a highly recommended core security function. By including this subject in the Cyber Essentials requirements, the importance of good asset management is being emphasised.

The requirements clarify that asset management doesn’t mean making lists or databases that are never used, it means creating, establishing and maintaining authoritative and accurate information about your assets that enables both day-to-day operations and efficient decision making when you need it. Security experts often refer to asset management as a fundamental cyber hygiene practice that can help an organisation meet all of the Cyber Essentials five controls. Many major security incidents are caused by organisations having assets which are still connected to the network when that organisation is not aware the asset is still active. Effective asset management will help track and control devices as they’re introduced into your business. The NCSC has comprehensive guidance for organisations on asset management.

A link to the NCSC’s BYOD guidance added for information

 For further information and advice on the use of BYOD, please see the NCSC’s guidance.

Clarification on including third party devices

All end user devices that your organisation owns and that are loaned to a third party must be included in the assessment scope. A new table is included for clarity on this subject For devices not owned by your organisation, the table below explains what is in and out of scope: (use table from the requirements doc as the table should include crosses and ticks)

In scope = Green Tick
Out of scope = Red Cross

The new table gives clarity on which third party devices are in scope for Cyber Essentials. It aims to answer the common questions about consultants, volunteers, and the much disputed, student devices. When the third-party device has a green tick, it is in scope and the applicant organisation needs to demonstrate that they can apply the required controls via a combination of technical and written policy. For example, if an in scope third party BYOD connects to an organisational Office 365, the organisation can create a conditional access policy that says if the device doesn’t have a supported operating system, it won’t connect til the operating system is updated. The devices of students that are not owned by the applicant organisation are not and have never been in scope.

‘Device unlocking’

section has been updated to reflect that some configuration can’t be altered because of vendor restrictions When the vendor doesn’t allow you to configure the above, use the vendor’s default setting

Sometimes, an applicant might be using a device where there are no options to change the configuration to meet the Cyber Essentials requirements. One example of this is locking the device after 10 failed sign-in attempts. Samsung, possibly the largest provider of smartphones in the world, have set their minimum sign-in attempts at 15, with no option to alter this number. So, in this instance, Cyber Essentials would require that the applicant goes with the minimum number sign-in attempts allowed by the device before locking.

An updated ‘Malware protection’ section

You must make sure that a malware protection mechanism is active on all devices in scope. For each device, you must use at least one of the options listed below.  In most modern products these options are built in to the software supplied. Alternatively, you can purchase products from a third-party provider.  In all cases the software must be active, kept up to date in accordance with the vendors instructions, and configured to work as detailed below:

Anti-malware software (option for in scope devices running Windows or MacOS including servers, desktop computers, laptop computers)

If you use anti-malware software to protect your device it must be configured to: - Be updated in line with vendor recommendations - Prevent malware from running - Prevent the execution of malicious code - Prevent connections to malicious websites over the internet

Application allow listing (option for all in scope devices)

Only approved applications, restricted by code signing, are allowed to execute on devices. You must: - Actively approve such applications before deploying them to devices - Maintain a current list of approved applications, users must not be able to install any application that is unsigned or has an invalid signature

Why the change?

Questions have been raised about the efficacy of some of the controls to defend against malware. Requirements have been updated with the latest knowledge, research and recommendations from vendors.

Information about how using a zero trust architecture affects Cyber Essentials

Network architecture is changing. More services are moving to the cloud and use of Software as a Service (SaaS) continues to grow. At the same time, many organisations are embracing flexible working, which means lots of different device types may connect to your systems from many locations. It’s also increasingly common for organisations to share data with their partners and guest users, which requires more granular access control policies. Zero trust architecture is designed to cope with these changing conditions by enabling an improved user experience for remote access and data sharing. A zero trust architecture is an approach to system design where inherent trust in the network is removed. Instead, the network is assumed hostile and each access request is verified, based on an access policy. Confidence in a request is achieved by building context, which relies on strong authentication, authorisation, device health, and value of the data being accessed. NCSC and IASME have considered the alignment of Cyber Essentials with the zero trust architecture models. We are confident that implementing the Cyber Essentials technical controls does not prevent you from using a zero trust architecture as defined by the NCSC guidance.

The illustrative specification document for CE+ has been updated and was published on January 23rd.

The changes regarding malware protection affect how a CE+ Assessor carries out the malware protection tests. At the point of CE+ audit, the Assessor will discuss further if required.

A number of style and language changes have been made to make the document more readable

The requirements document has been updated in line with plain English and accessibility guidelines.

The technical controls have been reordered to align with the self-assessment question set

For consistency, the scheme requirements are now in the same order as the question set which is, firewalls, secure configuration, security update management, user access controls, and malware protection.