Want to speak with sales?
Spring is on the horizon and, in the cybersecurity world, that often means only one thing: changes to the Cyber Essentials question set. Titled Willow, a new question set is due to go live on 28th April 2025, replacing 2023’s Montpellier question set.
The Willow Question Set introduces several key updates to enhance organisations’ protection and reflect modern work practices. Here’s everything you need to know.
Why is the change happening?
As cyber threats continue to evolve, so too must our defences. In recognition of this, IASME and the National Cyber Security Centre (NCSC) have made some subtle tweaks to the question set.
It’s best to think of these changes as a natural evolution of Cyber Essentials to account for new forms of authentication and changing working practices. Plus, they should help make the assessment process smoother by providing better guidance for anyone completing the certification.
What are the key updates in the Willow Question Set?
Scope clarification
The new question set provides clearer guidelines on what must be included in the scope of the assessment. For example, this includes any device accessing organisational data or services, even if they connect to cloud services rather than internal systems.
Firewall management
Under the Willow Question Set, all firewalls and routers must be listed in the network equipment section. There’s also a requirement for home and remote routers to use software firewalls.
The language around firewall management has also been updated in an attempt to drive businesses to review their firewall rules regularly.
Password management
Willow updates existing password policy best practices by emphasising the need for secure configurations. It also introduces passwordless authentication as an acceptable method for securing firewalls and routers. However, passwordless systems may still require brute-force protection methods – such as randomly generated passwords, using letters and symbols etc – if they use backup passwords.
Vulnerability fixes
The terminology for patching throughout the assessment has been changed to “vulnerability fixes.” This is to better reflect the importance of patching and includes configuration or registry changes for vulnerabilities with a CVSS score of 7 or higher, or those classified as high or critical risk.
Definitions and language
There are a few minor changes to the language within the question set. For example, updating the term "plugin" to "extension" and changing references from "home working" to "home and remote working.”
Impact on your business
The impact of these changes on your business should be positive. The Willow Question Set provides better guidance and clarity for anyone undergoing Cyber Essentials Certification. Not only will it make the assessment processes easier, but it’ll also better equip your business to meet modern cyber threats.
However, it’s well worth familiarising yourself with the new requirements before your next renewal.
Managed service providers
The same is true if you’re an organisation providing Cyber Essentials for businesses. Your customers should be able to get through the assessment with less support and finish it better protected to boot.
Again, it’s definitely worth getting to grips with the new requirements so you can offer support to customers where they need it.
If you have any questions about the changes or want to know more about what they mean for your business, please get in touch. We’ll be happy to walk you through it.
Did you know 59% of SMEs provide no mobile cybersecurity training to staff? Find out why this is a problem and what to do about it in our SME Mobile Threat Report.