In May 2025, this blog was updated to reflect the changes now in effect, plus further insights have been added.

Willow: New Cyber Essentials Question Set Published by IASME and the NCSC

Willow, the new Cyber Essentials question set, was announced on Monday (23^rd Sept 2024) by IASME and the NCSC, replacing the Montpellier question set. This also meant that new versions of the supporting documents were released which are Requirements for IT Infrastructure (v3.2) and Cyber Essentials Plus Test Specification (v3.2).

The new Willow question set went live on the 28^th April 2025. 

Why are new versions released?

New versions of the Cyber Essentials question set are released to ensure that the certification remains relevant and effective in protecting organisations from evolving cyber threats. As technology landscapes change rapidly, so do the tactics used by cyber criminals. This ongoing evolution is crucial for maintaining the integrity and credibility of the Cyber Essentials certification, providing organisations with confidence in their ability to fight against cyber attacks.

Another important consideration is that with a certification standard based on controls, there mustn’t be grey areas within the question set. Updated versions allow IASME and the NCSC to give clarity on areas that cause confusion based on the feedback from organisations, certification bodies and cyber advisors.

Differences between Montpellier and Willow Question Set?

Outlined below are some of the changes new to Willow:

• Password-less authentication is now listed as a supported option.
• New definitions and links to further guidance added:
  • Throughout the document, IASME has now added links to further guidance on specific questions.
  • A new definition for ‘Vulnerability fixes’ has been added – Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.
• It is made clear that Cloud Services used by organisations can never be excluded from scope.
• The new question set gives further clarity throughout with questions being reworded, further details being asked for, more information given in the guidance section and systems that were accepted into the scope but not mentioned in the documentation have been added.  Such as:
  • Question reworded: Have you reviewed your firewall rules in the last 12 months?
  • Virtual Desktop Infrastructure (VDI) servers included in a question.
  • Question reworded: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

Depending on the approach you take to achieve Cyber Essentials, working with a certification body or opting for the Cyber Essentials Pool, you might be aware of a few of these from when your last questionnaire was marked. However, now they are clearly defined to minimise confusion between organisations, governing bodies and certification bodies.

Further Cyber Essentials Question Set Revisions

Since the 23^rd Sept 2024 announcement, further revisions were released by IASME which went into effect on the same date, making the latest version 15.1 of the Willow question set. Some examples of the new revisions:  A7.4 question now clarifies that the privileges are access related and Information on Extended Security Update schemes has been added to some questions. To note, if this guidance applies to your organisation, you need to explicitly state that you have this version.

One of Data Connect’s experienced Cyber Essentials Assessors created a short 10-minute video that breaks down everything you need to know about the changes. They’ve broken down the amendments to the question set and the supporting documents, explaining exactly how they could affect your organisation. Plus, they’ve shared some valuable certification tips to help you.

If you’ve been considering getting Cyber Essentials or if your renewal is coming up, make sure you’re not caught out by these changes.

WATCH NOW – breakdown of the changes to Cyber Essentials Question Set

Why work with Data Connect?

We are a certification body for both levels of Cyber Essentials, plus we’re proud to be a Cyber Essentials Cyber Advisor and Assured Service Provider by the NCSC. This means we have the necessary skill set to guide organisations throughout the whole certification process and implement the necessary security controls. It also verifies that we have a proven track record for high quality customer service.

Find out more about Cyber Essentials.