Cyber Essential Question Set Update 2025
Some significant adjustments have been made to the Cyber Essentials self-assessment question set, due to come into effect on 28th April 2025. 'Willow' will be replacing the current Montpellier question set - bringing assessment changes that greater reflect modern ways of working and newer forms of authentication; hoping to provide greater clarity and guidance for businesses embarking on their CE certification journey.
Major Updates
Passwordless Authentication:
Cyber Essentials has long encouraged the use of multi-factor authentication (MFA) throughout the Montpellier question set, and looking forward to Willow - CE is now accommodating for passwordless authentication too.
Whilst passwordless authentication isn’t necessarily safer than traditional authentication methods, they can take away the responsibility of remembering long and complex passwords from the user, and in some instances, relinquish the risk of users setting weak passwords or reusing the same password all together. In the new Willow question set, passwordless authentication will now be an acceptable answer for securing your firewalls and routers. It should be noted however that passwordless systems will often rely on a backup password to reauthenticate users who have lost access to their authentication method. Where this is the case - passwordless systems will still need brute-force protection as before.
Some common methods of passwordless authentication include biometrics, one-time codes, QR codes, physical devices like USB security keys, and push notifications.
Induction of Remote Worker Question:
The inclusion and representation of remote work culture reflects the shift in employer attitudes towards flexible working over the past 5 years since the global pandemic in 2020. However, with this increase in remote work comes a range of new security considerations as a result of employees potentially using untrusted networks or working in locations unsuitable for viewing, amending and handing sensitive data.
Security Update Management:
IASME have always been steadfast in their 14-day patching window for critical security updates. It can however create logistical hurdles for larger organisations that manage a huge number of users and devices trying to achieve the certification, but the Willow question set has new guidelines to accommodate for vulnerabilities that are fixed by manual configuration only. This could ease the burden of patching for some organisations, particularly within the heavy industries. Clarification has been given in the new Willow question set to confirm that configuration changes or registry fixes must be applied, if advised by the OS/application as a solution to remediate a critical or high-level vulnerability.
Network Equipment & Firewalls:
The new Willow question set gives greater clarification, confirming that firewalls and routers should be listed in the network equipment section (A2.8), with a requirement to confirm that home and remote workers are using software firewalls as their boundary in the notes section. Additionally, the wording surrounding firewalls has been altered to provide greater clarity around firewall management and reviewing firewall rules regularly.
Minor Updates
Definitions:
Two new definitions have been added to the Willow question set requirements for infrastructure:
Software - the new definition for software has been updated to change the term 'plugin' to 'extension'.
Vulnerability Fix - is now included in the definitions of the Willow requirements for infrastructure document. This is useful because the question set and marking scheme references 'vulnerability fix' frequently and as different vulnerabilities have different fixes, it’s important that their definition reflects that.
Language:
The only other changes to the Cyber Essentials specifications are around language. IASME have changed all references to 'home working' to 'home and remote' working. While this is a minor change, it will clear any doubt around people working from shared spaces away from the office.
The Next Steps?
Any CE applications submitted on or after the 28th April 2025 will need to make use of the new Willow question set when carrying out the application self-assessment. It would be useful for any business considering a CE application, after the 28th April, to look over the new willow question set and begin identifying how well their organisation currently aligns with the new CE self-assessment requirement. For those completing a CE application before the 28th of April, you will still be applying with the current, Montpellier question set - however it may still be worth considering the new changes as future renewals will require the completion of another self-assessment and thus your renewal application will use the willow question set.
How Can PureCyber Help?
At PureCyber, we partner with you to enhance your cyber security and ensure compliance with Cyber Essentials standards. We offer:
Expert Guidance: Support throughout every step of the certification process.
Comprehensive Solutions: From basic to advanced security services, tailored to your needs.
Continuous Support: Ongoing monitoring and swift resolution of security issues.
Enhanced Trust and Compliance: Build credibility with clients and ensure regulatory adherence.
Cost-Effective Packages: Flexible pricing options for businesses of all sizes.
User-Friendly Process: Streamlined certification with minimal disruption to your operations.
Holistic Approach: Cyber security integrated with your overall business strategy.
Proven Track Record: A history of successful implementations across various industries.
Get in touch or book in a call for more information on Cyber Essentials, Cyber Essentials Plus, and how we can safeguard your business with our expert cyber security solutions.
Check out our recent Introduction to Cyber Essentials Webinar Recording on YouTube
Email: info@purecyber.com
Call: 0800 368 9397