Cyber Essentials 2025 Update: Everything You Need to Know

The new ‘Willow’ question set is live for all Cyber Essentials certifications, as of 28th April 2025. The new question set has replaced 2023’s ‘Montpellier’ criteria.

There has also been additional changes to the Cyber Essentials Plus audit specifically this year, which we have detailed below.

If your organisation is working towards Cyber Essentials certification, here’s everything you need to know about what’s changing and why it matters.

Why Are the Changes Happening?

Cyber threats are constantly evolving, and the Cyber Essentials framework needs to keep pace. The new Willow question set, developed by IASME and the National Cyber Security Centre (NCSC), introduces a series of refinements designed to reflect today’s working environments and technologies.

These updates are more of an evolution than a revolution. They aim to make the assessment process clearer, more aligned with modern practices, and ultimately more effective in strengthening cyber resilience.

Key Changes in the Willow Question Set:

🔍 Scope Clarity

Organisations are now given clearer direction on what must fall within the scope of the assessment. Devices accessing organisational data or services, whether through internal networks or cloud platforms, must be included.

🔐 Firewall Requirements

All firewalls and routers must now be documented in the network equipment section. Importantly, remote and home-working routers must use software firewalls, and the guidance encourages more regular reviews of firewall configurations.

🗝️ Password Policies & Authentication

The guidance on passwords has been refreshed to reflect best practices. Passwordless authentication is now recognised as a valid method for protecting firewalls and routers. However, where passwordless systems fall back on passwords, brute-force protections (e.g. complex, randomised passwords) are still required.

⚙️ Patch Management Becomes ‘Vulnerability Fixes’

The terminology has shifted to better emphasise the importance of timely updates. Any vulnerability rated CVSS 7.0+ or considered high/critical risk must be addressed; whether through patching, registry tweaks, or configuration changes.

✍️ Updated Language and Terminology

Minor wording changes aim to improve clarity. For instance, using “extensions” instead of “plugins,” and referring to “home and remote working” rather than just “home working.”

How is Cyber Essentials Plus Changing?

While the core question set affects both levels of certification, Cyber Essentials Plus has some additional process changes, particularly in Tests 2 and 4:

Test 2: Internal Vulnerability Assessment

Device sampling must now occur immediately before the audit, rather than using data from the self-assessment.

Auditors will review and store evidence of the sampling methodology.

The assessment will now be based on a random sample of devices chosen by the assessor and shared no more than 3 working days before the test.

High-risk configuration issues, such as unquoted file paths or registry key misconfigurations, now count as assessment failures.

Test 4: Multi-Factor Authentication for Cloud Services

Not all cloud services will be tested, only those accessible by devices or users in the scope.

If a cloud service isn’t accessible to anyone in the sample, it won’t be tested.

What Does This Mean for Your Organisation?

Overall, these changes should make it easier for your organisation to understand the Cyber Essentials requirements and achieve compliance more smoothly. The increased clarity and alignment with current technology trends can help you reduce risk, while streamlining the certification process.

If your Cyber Essentials renewal is coming up, we recommend familiarising yourself with the Willow updates early to make sure you’re not caught out.

For the simplest way to get certified, we’re here to make things easier for you. The CyberSmart platform from E-ZU Solutions Ltd is an automated solution that helps organisations eliminate the headaches and frustrations that can often arise whilst trying to achieve certification. Head to our Cybersmart Platform page to find out more and you can even see the dashboard for yourself with our Instant Interactive Demo. And please feel free to reach out to us if you have any questions about preparing for Cyber Essentials or protecting your business-critical data – Email: [email protected] or Call: 01260 715 021.