Whether you’re already Cyber Essentials certified or currently working towards it, it’s important to stay on top of the latest changes from the National Cyber Security Centre (NCSC) and IASME, the certification body. As of 28th April 2025, several updates have been made that will impact both Cyber Essentials (CE) and Cyber Essentials Plus (CE+) applicants.
Here’s a breakdown of what’s changed and what you need to do next.
What are the key changes in the Willow questionnaire?
“Willow” is the new name of the service or self-assessment tool for Cyber Essentials, replacing the previous assessment known as “Montpellier”.
1. Scope
- Clearer guidelines on what must be included in the scope of the assessment.
- Includes any devices accessing organisational data or services, even if they connect to cloud services rather than internal systems.
2. Firewall Management
- Devices used in home networks must now enforce the same level of control as corporate devices (firewalls, patching, user access).
- All firewalls and routers must be listed in the network equipment sections, including home routers for home workers.
3. Password Management
- Introduces password-less authentication as an acceptable method for securing firewalls and routers.
- Note that password-less systems may still require brute-force protection methods – such as randomly generated password – if they use backup passwords.
4. Vulnerability Fixes
- The terminology for patching has been changed to “vulnerability fixes.”
- The fixes now include configuration or registry changes for vulnerabilities with a CVSS score of 7 or higher.
Changes Specific to Cyber Essentials Plus
CE+ assessments have also been updated to reflect modern risks and evolving compliance expectations.
Assessment tests 1 (Remote Vulnerability), 3 (Malware Protection & 5 (Account Separation) remain the same. However, there have been some changes to tests 2 & 4.
Test 2 – Internal Vulnerability Assessment
- Auditors will now conduct sampling immediately before the audit. Previously the sample was drawn from the self-assessment report.
- Assessors will validate the way sampling is conducted – this means the assessor will need to see the methods used to determine the number of devices in scope for the assessment.
- The assessor (certification body) will hold and store sampling evidence for the one-year duration of the certificate.
- The specific devices included in the assessment, including the vulnerability scanning and end user tests, will now be determined by the assessor.
- The random sample of devices picked by the assessor will be sent to the applicant no more than 3 working days in advance.
- Internal vulnerability scans now include configuration or registry changes for vulnerabilities with a CVSS score of 7 or higher.
Test 4 – Multi-Factor Authentication for Cloud Services
- A sample of cloud services are checked rather than all cloud services.
- Only cloud services that are accessible by users or devices for testing will be tested. If the user is unable to access a specific cloud service, then that service will not be tested.
Timeline for Compliance:
These changes are effective from 28th April 2025.
If your certification renewal is due after this date, your assessment will be evaluated against the new criteria.
If you’re mid-way through an application, we will guide you based on your submission date.
We can help you prepare:
- Review your current scope – make sure it includes all in-scope devices and cloud services.
- Enforce strong MFA – and test it across all user and admin accounts.
- Patch regularly – use tools to manage and monitor software updates.
- Audit mobile devices – ensure company policy applies to smartphones and tablets.
- Check firewall settings – and change default credentials on all network devices.
We understand these updates can feel overwhelming, especially for smaller teams. So please get in touch if you’d like us to review your current setup or prepare for the upcoming changes.
