Cyber Essentials 2025: Navigating the Willow Question Set
29 April
As of April 28, 2025, the Cyber Essentials certification introduces the “Willow” question set, replacing the previous Montpellier version. This update, developed by the National Cyber Security Centre (NCSC) and IASME, aims to address evolving cyber threats and modern work practices.β
π Key Changes in the Willow Question Set
1. Expanded Scope for Remote Workers
The term “home working” has been updated to “home and remote working” to encompass modern work environments, including untrusted networks like cafes and hotels. Organisations must now account for all employees connecting from various locations, ensuring robust security measures for all remote connections. β
2. Enhanced Network Equipment Listings
Applicants are now required to list only relevant network equipment, specifically firewalls and routers, including their make and model. This change aims to prevent the unnecessary inclusion of devices such as hubs and switches, streamlining the assessment process. β
3. Acceptance of Passwordless Authentication
The Willow question set now accepts passwordless authentication methods, provided they adhere to recognised standards. Acceptable methods include biometric authentication, security keys or tokens, one-time codes, and push notifications. This change accommodates modern authentication technologies, reducing the reliance on traditional passwords. β
4. Clarification on Vulnerability Fixes
The terminology has shifted from “patching” to “vulnerability fixes,” encompassing configuration changes or registry fixes, as advised by vendors, to mitigate high-risk vulnerabilities. This broader definition ensures that all necessary measures are taken to address critical security issues. β
5. Inclusion of Cloud Services in Scope
The Willow question set mandates that all cloud services used by organisations, regardless of type (IaaS, PaaS, or SaaS), must be included in the scope of assessment. This change reflects the growing reliance on cloud infrastructure and ensures comprehensive security coverage. β
π‘οΈ Implications for Your Business
The introduction of the Willow question set necessitates a thorough review of your organisation’s cybersecurity practices. Key areas to focus on include:β
-
Remote Work Security: Implement robust security measures for employees working from various locations, ensuring secure connections to organisational data and services.β
-
Network Equipment Inventory: Maintain an accurate inventory of relevant network equipment, including firewalls and routers, to streamline the assessment process.β
-
Authentication Methods: Adopt modern authentication technologies, such as passwordless methods, to enhance security and reduce reliance on traditional passwords.β
-
Vulnerability Management: Ensure timely application of vulnerability fixes, including configuration changes and registry fixes, to address high-risk vulnerabilities.β
-
Cloud Service Security: Include all cloud services in the scope of assessment, ensuring comprehensive security coverage across all platforms.β
β Next Steps
Organisations seeking Cyber Essentials certification after April 28, 2025, must adhere to the Willow question set. To prepare:β
-
Review the Willow Question Set: Familiarise yourself with the updated requirements to understand the changes and their implications.
-
Conduct a Self-Assessment: Evaluate your organisation’s current cybersecurity practices against the new requirements to identify areas for improvement.β
-
Implement Necessary Changes: Make the necessary adjustments to your cybersecurity practices to align with the Willow question set.β
-
Seek Expert Guidance: Consider consulting with cybersecurity professionals to ensure compliance and enhance your organisation’s security posture.β
By proactively addressing these areas, your organisation can navigate the transition to the Willow question set and bolster its cybersecurity defenses.
If you are considering Cyber essentials compliance, contact us!