Cyber Essentials update - new Willow question set

The Cyber Essentials scheme is due for significant updates with the introduction of the "Willow" question set. These changes aim to align the certification with evolving cyber threats and modern working practices. 

When are the changes happening? 

The new "Willow" question set will be implemented on April 28, 2025. From this date forward, all Cyber Essentials assessments will use this updated framework, replacing the previous "Montpellier" question set, which was introduced in 2023. 

Why are these changes being implemented?

As the cybersecurity landscape evolves, new threats and vulnerabilities emerge regularly. To maintain its effectiveness, the Cyber Essentials scheme undergoes periodic revisions. The upcoming changes aim to:​ 

Address modern authentication methods: Recognise and incorporate passwordless authentication technologies to enhance security measures. ​

Reflect contemporary working practices: Acknowledge the prevalence of remote working environments and the associated security considerations. ​

Broaden vulnerability management: Expand the definition and scope of vulnerability fixes beyond traditional patches and updates. ​   operational technology (OT) systems, such as building management and power control systems, have not been as well-protected as IT environments. 

What are the key changes?

Passwordless authentication

The updated requirements formally recognise passwordless authentication methods as valid security measures. These methods include: 

• Biometric authentication: Utilising fingerprints, facial recognition, or other biological traits.​  

• Security keys or tokens: Employing physical devices like USB security keys or smart cards.​  

• One-time codes: Using temporary codes sent via SMS, email, or authenticator apps.​  

• Push notifications: Approving login attempts through prompts on a smartphone.​  

This shift aims to reduce reliance on traditional passwords, which are often susceptible to attacks, and enhance overall security.  

Terminology updates

• "Plugins" to "extensions": The term "plugins" will be replaced with "extensions" to align with current software terminology. ​  

• "Home working" to "home and remote working": This change acknowledges that employees may work from various untrusted environments, such as cafés, hotels, and other public spaces, beyond just the home.   

Vulnerability fixes

The term "patches and updates" will be replaced with "vulnerability fixes," encompassing a broader range of remediation methods, including: 

• Registry fixes​ 

• Configuration changes​ 

• Scripts or other vendor-approved mechanisms​ 

This broader definition ensures a more comprehensive approach to securing systems beyond installing vendor updates.  

Cyber Essentials Plus test specification updates

For organisations pursuing Cyber Essentials Plus certification, the following updates have been made: 

• Document renaming: The word "illustrative" has been removed from the title of the Cyber Essentials Plus Test Specification document, simplifying its name while retaining its purpose. 

• Scope verification: Assessors must verify that the assessment scope matches the self-assessment scope and that any sub-sets have been correctly segregated.  

• Sampling verification: Assessors are required to confirm that the number of sampled devices aligns with IASME guidelines, ensuring thorough testing across all critical systems. 

How we can help

After April 28, 2025, organisations seeking Cyber Essentials certification must align their cybersecurity practices with the new "Willow" question set. Our experts can help you prepare for these changes, working with you to implement recognised passwordless authentication methods should this be of interest, and adopt a comprehensive approach to vulnerability management.  

For those pursuing Cyber Essentials Plus certification, we can help you meet additional scope and sampling verification requirements.  

By proactively addressing these updates, you can maintain robust cybersecurity defences and ensure compliance with the evolving Cyber Essentials standards. Get in touch with our team at hello@oryxalign.com.