Published by:
| Cyber Essentials Scheme,

Willow: New Cyber Essentials Question Set Published by IASME and the NCSC

 

Willow, the new Cyber Essentials question set, was published on Monday (23rd Sept 2024) by IASME and the NCSC which will replace Montpellier in 2025. This also means that new versions of the supporting documents have been released which are Requirements for IT Infrastructure (v3.2) and Cyber Essentials Plus Test Specification (v3.2).

The exact date when the new question set comes into effect is the 28th April 2025.

 

Why are new versions released?

New versions of the Cyber Essentials question set are released to ensure that the certification remains relevant and effective in protecting organisations from evolving cyber threats. As technology landscapes change rapidly, so do the tactics used by cyber criminals. This ongoing evolution is crucial for maintaining the integrity and credibility of the Cyber Essentials certification, providing organisations with confidence in their ability to fight against cyber attacks.

Another important consideration is that with a certification standard based on controls, there mustn’t be grey areas within the question set. Updated versions allow IASME and the NCSC to give clarity on areas that cause confusion based on the feedback from organisations, certification bodies and cyber advisors.

 

Differences between Montpellier and Willow Question Set?

Outlined below are some of the changes new to Willow:

  • Password-less authentication is now listed as a supported option.
  • New definitions and links to further guidance added:
    • Throughout the document, IASME has now added links to further guidance on specific questions.
    • A new definition for ‘Vulnerability fixes’ has been added – Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.
  • It is made clear that Cloud Services used by organisations can never be excluded from scope.
  • The new question set gives further clarity throughout with questions being reworded, further details being asked for, more information given in the guidance section and systems that were accepted into the scope but not mentioned in the documentation have been added.  Such as:
    • Question reworded: Have you reviewed your firewall rules in the last 12 months?
    • Virtual Desktop Infrastructure (VDI) servers included in a question.
    • Question reworded: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

Depending on the approach you take to achieve Cyber Essentials, working with a certification body or opting for the Cyber Essentials Pool, you might be aware of a few of these from when your last questionnaire was marked. However, now they are clearly defined to minimise confusion between organisations, governing bodies and certification bodies.

 

The full list of changes can be found on the IASME website. Very soon, a member of the Data Connect team will be breaking down the amendments to the question set and the supporting documents, explaining exactly how they could affect your organisation. Please get in touch if you would like to find out more or please keep an eye out on LinkedIn for new content!

 

Why work with Data Connect?

We are a Certification Body for both levels of Cyber Essentials, plus we’re proud to be a Cyber Essentials Cyber Advisor and Assured Service Provider by the NCSC. This means we have the necessary skill set to guide organisations throughout the whole certification process and implement the necessary security controls. It also verifies that we have a proven track record for high quality customer service.

If you would like to find out more about Cyber Essentials, please click here.

 

Share this post

Related Posts

The Impact of Cyber Essentials: A 10-Year Review

The Impact of Cyber Essentials: A 10-Year Review   The Cyber Essentials scheme has celebrated its 10th anniversary this year, so we thought it would...

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification   To maintain a valid Cyber Essentials certificate, organisations must complete the recertification process every...

Podcast | Deep Dive: Cyber Essentials and Updates

Here we go again… continuing our discussion on Cyber Essentials but with a focus on the technical aspects of Cyber Essentials Plus and looking at...

Get in touch

SPEAK WITH AN EXPERT

01423 425 498

Related Posts

The Impact of Cyber Essentials: A 10-Year Review

The Impact of Cyber Essentials: A 10-Year Review   The Cyber Essentials scheme has celebrated its 10th anniversary this year, so we thought it would...

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification

Steps to Simplify Cyber Essentials and Cyber Essentials Plus Recertification   To maintain a valid Cyber Essentials certificate, organisations must complete the recertification process every...

Podcast | Deep Dive: Cyber Essentials and Updates

Here we go again… continuing our discussion on Cyber Essentials but with a focus on the technical aspects of Cyber Essentials Plus and looking at...