A summary of the Willow Question Set for Cyber Essentials

On the 28^th April 2025, changes were introduced to the Cyber Essentials question set. Titled Willow, the new question set replaces the Montpellier question set from 2023.

There are several key updates in the Willow question set which have been designed to reflect modern work practices and enhance protection for businesses.

Here’s a brief run-down of what to expect in the new question set.

The changing threat landscape and Cyber Essentials

As you know, the cyber threat landscape is continually changing, so what may have worked two years ago may need adapting. By evolving defences organisations can continue to stay ahead of threats, which is why the IASME and the National Cyber Security Centre (NCSC) have made some amendments to the question set.

Willow has been introduced to ensure that Cyber Essentials certification remains effective in addressing today’s cyber threats and modern working practices. By refining the questions and improving guidance, the Willow set aims to make the certification process clearer, more relevant, and better aligned with real-world security needs.

The key updates in the Willow Question Set:

• What’s in scope: Clearer guidelines have been provided to what has to be included in the scope of the assessment. All devices that access organisational data or services (including via the cloud) are in scope.
• Updated firewall and router requirements: Moving forward, under the network equipment section, all firewalls and routers must be listed. In addition to this, home and remote routers must use software firewalls, and the language used in regard to firewall management has also been updated. These changes have been included to encourage businesses to review firewall rules regularly.
• Stronger password and authentication policies: There is a stronger focus on using robust and secure password settings to protect systems. The updated requirements now allow the use of passwordless authentication methods particularly for devices like routers and firewalls as long as they are properly secured.
• For passwordless systems, you may still need brute-force protection if they use backup passwords.
• Vulnerability fixes: Patching terminology has been replaced with ‘vulnerability fixes’ to more accurately capture the range of actions that are needed to address security risks. This includes not just applying software updates but also making configuration or registry changes to correct serious issues, especially those rated high-risk with a CVSS score of 7 or above.
• Language changes: Some terminology within the assessment has been updated. The word ‘plugin’ has been updated to ‘extension’ and the term ‘home working’ has been amended to ‘home and remote working’ to reflect more flexible work environments.

Cyber Essentials Plus updates:

There have also been some key updates to the Cyber Essentials Plus certification process that you need to be aware of. Test 2, Internal Vulnerability Assessment and Test 4, multi-factor authentication for cloud services have both had changes which we’ve set out below:

Test 2 – Internal vulnerability assessment

• The sample of random devices chosen by the assessor will be shared with the applicant no more than three working days before the audit begins.
• The selection of specific devices for both vulnerability scanning and user testing is now decided by the assessor.
• ‘Configurational changes’ as failure connections will now be included in internal vulnerability scans. Unquoted Windows File Paths or Registry Key issues are now deemed as conditions for failure.

Test 4 – Multi-Factor Authentication for cloud services

Not all cloud platforms will be tested as part of the audit. Only the cloud services that the randomly selected users or devices have access to will be assessed. If a cloud service isn’t used by the selected accounts or machines, it will not be included in the testing.

What’s the impact of the Willow question set for Cyber Essentials?

The aim of these updates is to simplify the Cyber Essentials certification process while making it more relevant and current to modern security needs. The updated approach is designed to give clearer expectations and stronger deference’s against today’s threats.

For MSPs and IT service providers, by understanding the new requirements, you can better support your clients, and it should help reduce the amount of hands-on support clients require during the certification process.

CyberSmart

At Brigantia, we’re partnered with CyberSmart, a solution designed to make the process of achieving cybersecurity certifications like Cyber Essentials simple.

If you would like to find out more about CyberSmart and how it can support your clients to achieve Cyber Essentials certification, get in touch with our team to book a demo.