In April 2025, this blog was updated to add further context to the upcoming changes. 

Willow: New Cyber Essentials Question Set Published by IASME and the NCSC

Willow, the new Cyber Essentials question set, was published on Monday (23^rd Sept 2024) by IASME and the NCSC which will replace Montpellier in 2025. This also means that new versions of the supporting documents have been released which are Requirements for IT Infrastructure (v3.2) and Cyber Essentials Plus Test Specification (v3.2).

The date for the new question set going live is fast approaching, with it being this month on the 28^th April 2025. 

Why are new versions released?

New versions of the Cyber Essentials question set are released to ensure that the certification remains relevant and effective in protecting organisations from evolving cyber threats. As technology landscapes change rapidly, so do the tactics used by cyber criminals. This ongoing evolution is crucial for maintaining the integrity and credibility of the Cyber Essentials certification, providing organisations with confidence in their ability to fight against cyber attacks.

Another important consideration is that with a certification standard based on controls, there mustn’t be grey areas within the question set. Updated versions allow IASME and the NCSC to give clarity on areas that cause confusion based on the feedback from organisations, certification bodies and cyber advisors.

Differences between Montpellier and Willow Question Set?

Outlined below are some of the changes new to Willow:

• Password-less authentication is now listed as a supported option.
• New definitions and links to further guidance added:
  • Throughout the document, IASME has now added links to further guidance on specific questions.
  • A new definition for ‘Vulnerability fixes’ has been added – Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.
• It is made clear that Cloud Services used by organisations can never be excluded from scope.
• The new question set gives further clarity throughout with questions being reworded, further details being asked for, more information given in the guidance section and systems that were accepted into the scope but not mentioned in the documentation have been added.  Such as:
  • Question reworded: Have you reviewed your firewall rules in the last 12 months?
  • Virtual Desktop Infrastructure (VDI) servers included in a question.
  • Question reworded: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

Depending on the approach you take to achieve Cyber Essentials, working with a certification body or opting for the Cyber Essentials Pool, you might be aware of a few of these from when your last questionnaire was marked. However, now they are clearly defined to minimise confusion between organisations, governing bodies and certification bodies.

Further Cyber Essentials Question Set Revisions

Since the 23^rd Sept 2024 announcement, further revisions were released by IASME which take affect on the same date, making the latest version 15.1 of the Willow question set. Some examples of the new revisions:  A7.4 question now clarifies that the privileges are access related and Information on Extended Security Update schemes has been added to some questions. To note, if this guidance applies to your organisation, you need to explicitly state that you have this version.

One of Data Connect’s experienced Cyber Essentials Assessors have created a short 10-minute video that breaks down everything you need to know about the upcoming changes. They’ve broken down the amendments to the question set and the supporting documents, explaining exactly how they could affect your organisation. Plus, they’ve shared some valuable certification tips to help you.

If you’ve been considering getting Cyber Essentials or if your renewal is coming up, make sure you’re not caught out by these changes.
 

WATCH NOW

Why work with Data Connect?

We are a Certification Body for both levels of Cyber Essentials, plus we’re proud to be a Cyber Essentials Cyber Advisor and Assured Service Provider by the NCSC. This means we have the necessary skill set to guide organisations throughout the whole certification process and implement the necessary security controls. It also verifies that we have a proven track record for high quality customer service.

Find out more about Cyber Essentials.