Login Book a call
Search
Clear search icon

Everything you need to know about the upcoming Willow Question Set for Cyber Essentials

Frankie
Willow question set
Back to blog

Table of contents

Want to speak with sales?

Book a call

Spring is on the horizon and, in the cybersecurity world, that often means only one thing: changes to the Cyber Essentials question set. Titled Willow, a new question set is due to go live on 28th April 2025, replacing 2023ā€™s Montpellier question set.

The Willow Question Set introduces several key updates to enhance organisationsā€™ protection and reflect modern work practices. Hereā€™s everything you need to know. 

Why is the change happening? 

As cyber threats continue to evolve, so too must our defences. In recognition of this, IASME and the National Cyber Security Centre (NCSC) have made some subtle tweaks to the question set. 

Itā€™s best to think of these changes as a natural evolution of Cyber Essentials to account for new forms of authentication and changing working practices. Plus, they should help make the assessment process smoother by providing better guidance for anyone completing the certification.

What are the key updates in the Willow Question Set?

Scope clarification

The new question set provides clearer guidelines on what must be included in the scope of the assessment. For example, this includes any device accessing organisational data or services, even if they connect to cloud services rather than internal systems. 

Firewall management

Under the Willow Question Set, all firewalls and routers must be listed in the network equipment section. Thereā€™s also a requirement for home and remote routers to use software firewalls.

The language around firewall management has also been updated in an attempt to drive businesses to review their firewall rules regularly.

Password management

Willow updates existing password policy best practices by emphasising the need for secure configurations. It also introduces passwordless authentication as an acceptable method for securing firewalls and routers. However, passwordless systems may still require brute-force protection methods ā€“ such as randomly generated passwords, using letters and symbols etc ā€“ if they use backup passwords.

Vulnerability fixes

The terminology for patching throughout the assessment has been changed to ā€œvulnerability fixes.ā€ This is to better reflect the importance of patching and includes configuration or registry changes for vulnerabilities with a CVSS score of 7 or higher, or those classified as high or critical risk.

Definitions and language

There are a few minor changes to the language within the question set. For example, updating the term "plugin" to "extension" and changing references from "home working" to "home and remote working.ā€

What about Cyber Essentials Plus?

As well as being subject to a new question set, there are some key changes to the Cyber Essentials Plus certification process to be aware of. Assessment tests 1 (Remote Vulnerability), 3 (Malware protection), 5 (Account Separation) remain the same. However, there have been some tweaks to tests 2 and 4.

Test 2 ā€“ Internal Vulnerability Assessment

The sampling process for the Internal Vulnerability assessment has changed substantially:

  1. Auditors must conduct sampling immediately before the audit. In previous years, the sample was drawn from the self-assessment report.
  2. Assessors validate the way sampling is conducted This means an assessor will need to see the methods used to determine the number of devices in scope for the assessment.
  3. The assessor or certification body will hold and store sampling evidence for the one-year duration of the certificate. IASME can also request this information at any time.
  4. The specific devices included in the assessment, including the vulnerability scanning and end user tests, will be now be determined by the assessor.Ā 
  5. The random sample of devices picked by the assessor will be sent to the applicant no more than 3 working days in advance.
  6. Internal vulnerability scans will now include ā€˜configurational changesā€™ as failure conditions. In the past, high severity vulnerabilities like Unquoted Windows File Path, or Registry Key issues weren't considered conditions for failure ā€“ they are now.

Test 4 ā€“ Multi-factor Authentication for Cloud Services

Rather than testing all cloud services, as in previous years, a sample is taken instead.

Only cloud services that are accessible by users or devices included on the random scope are tested. If none of the users can access a specific cloud service, then that service is not tested.

Impact on your business

The impact of these changes on your business should be positive. The Willow Question Set provides better guidance and clarity for anyone undergoing Cyber Essentials Certification. Not only will it make the assessment processes easier, but itā€™ll also better equip your business to meet modern cyber threats. 

However, itā€™s well worth familiarising yourself with the new requirements before your next renewal.

Managed service providers

The same is true if youā€™re an organisation providing Cyber Essentials for businesses. Your customers should be able to get through the assessment with less support and finish it better protected to boot.

Again, itā€™s definitely worth getting to grips with the new requirements so you can offer support to customers where they need it.

If you have any questions about the changes or want to know more about what they mean for your business, please get in touch. Weā€™ll be happy to walk you through it.

Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.