The new ‘Willow’ question set is live for all Cyber Essentials certifications, as of 28th April 2025. The new question set has replaced 2023’s ‘Montpellier’ criteria.
There have also been additional changes to the Cyber Essentials Plus audit, specifically this year, which we have detailed below.
If your organisation is working towards Cyber Essentials certification, here’s everything you need to know about what’s changing and why it matters.
Why Are the Changes Happening?
Cyber threats are constantly evolving, and the Cyber Essentials framework needs to keep pace. The new Willow question set, developed by IASME and the National Cyber Security Centre (NCSC), introduces a series of refinements designed to reflect today’s working environments and technologies.
These updates are more of an evolution than a revolution. They aim to make the assessment process clearer, more aligned with modern practices, and ultimately more effective in strengthening cyber resilience.
Key Changes in the Willow Question Set:
🔍 Scope Clarity
Organisations are now given clearer direction on what must fall within the scope of the assessment. Devices accessing organisational data or services, whether through internal networks or cloud platforms, must be included.
🔐 Firewall Requirements
All firewalls and routers must now be documented in the network equipment section. Importantly, remote and home-working routers must use software firewalls, and the guidance encourages more regular reviews of firewall configurations.
🗝️ Password Policies & Authentication
The guidance on passwords has been refreshed to reflect best practices. Passwordless authentication is now recognised as a valid method for protecting firewalls and routers. However, where passwordless systems fall back on passwords, brute-force protections (e.g. complex, randomised passwords) are still required.
⚙️ Patch Management Becomes ‘Vulnerability Fixes’
The terminology has shifted to better emphasise the importance of timely updates. Any vulnerability rated CVSS 7.0+ or considered high/critical risk must be addressed; whether through patching, registry tweaks, or configuration changes.
All Cloud Services are In-Scope
All cloud services utilised by an organisation, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), are now explicitly included within the assessment scope. This ensures comprehensive coverage of all platforms that handle organisational data .
✍️ Updated Language and Terminology
Minor wording changes aim to improve clarity. For instance, using “extensions” instead of “plugins,” and referring to “home and remote working” rather than just “home working.”
How is Cyber Essentials Plus Changing?
While the core question set affects both levels of certification, Cyber Essentials Plus has some additional process changes, particularly in Tests 2 and 4:
Test 2: Internal Vulnerability Assessment
Device sampling must now occur immediately before the audit, rather than using data from the self-assessment.
Auditors will review and store evidence of the sampling methodology.
The assessment will now be based on a random sample of devices chosen by the assessor and shared no more than 3 working days before the test.
High-risk configuration issues, such as unquoted file paths or registry key misconfigurations, now count as assessment failures.
Test 4: Multi-Factor Authentication for Cloud Services
Not all cloud services will be tested, only those accessible by devices or users in the scope.
If a cloud service isn’t accessible to anyone in the sample, it won’t be tested.
What Does This Mean for Your Organisation?
Overall, these changes should make it easier for your organisation to understand the Cyber Essentials requirements and achieve compliance more smoothly. The increased clarity and alignment with current technology trends can help you reduce risk, while streamlining the certification process.
If your Cyber Essentials renewal is coming up, we recommend familiarising yourself with the Willow updates early to make sure you’re not caught out.
How Lanmark Can Help:
Navigating the complexities of Cyber Essentials can be challenging. Lanmark Limited, a leading IT Services and cyber security company, offers comprehensive services to assist organisations in achieving Cyber Essentials and Cyber Essentials Plus certification. Our experienced consultants can:
-
- Provide expert guidance on the Cyber Essentials requirements, including the changes introduced in version 15 “Willow.”
- Conduct thorough assessments of your current cyber security posture.
- Identify any gaps and recommend effective remediation strategies.
- Assist with the implementation of necessary controls and processes.
- Prepare your organisation for the Cyber Essentials assessment, ensuring a smooth and successful certification process.
By partnering with Lanmark, organisations can streamline the certification process, minimise disruption to their operations, and strengthen their overall cyber security resilience.