InfoShelter Ltd | The new “Willow” update to Cyber Essentials

24 Apr The new “Willow” update to Cyber Essentials

Posted at 16:51h in Compliance, Cyber Essentials by InfoShelter 0 Comments

0 Likes

The Cyber Essentials scheme, backed by the UK’s National Cyber Security Centre (NCSC), has long served as a key baseline for cybersecurity best practices among UK organisations. As of April 2025, the latest update—called the Willow version—introduces a number of important changes aimed at modernising the standard and addressing evolving threats and technologies.

In this blog, we’ll walk you through what’s changed and what it means for organisations seeking new certifications or renewals.

Password-less Authentication Now Recognised

One of the most forward-looking changes in the Willow update is the official recognition of password-less authentication. Organisations can now adopt methods such as biometrics, FIDO2 keys, or other cryptographic login mechanisms as compliant alternatives to traditional passwords—helping reduce the risk of credential-based attacks.

New Definitions and Enhanced Guidance

The updated standard includes clearer definitions and expanded support throughout the questionnaire.

New definition for “Vulnerability fixes”: This now explicitly includes not only patches and updates but also configuration changes, registry fixes, scripts, or any vendor-approved method of resolving known vulnerabilities.

Take note

This goes beyond a typical software patching program - you will now need to understand which configuration changes need to be made to address vulnerabilities, escalating the need to have good vulnerability assessment software in place.

Links to additional guidance: Throughout the standard, IASME has embedded direct links to official guidance, helping applicants better understand what is required for compliance.

This improvement is aimed at reducing ambiguity and making the self-assessment process more user-friendly.

To mirror this, we have provided some links to key information sources below:

Download the Willow Cyber Essentials Question Set (PDF)
Download the Willow Cyber Essentials Question Set (Excel)
Download the latest NCSC Requirements for Infrastructure (Version 3.2)
Download the Willow Cyber Essentials Test Specification

Cloud Services Are Always in Scope

A major clarification in the Willow version is that cloud services can never be excluded from scope. This means all Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS) used by the organisation must be considered as part of your Cyber Essentials assessment.

This change reinforces the idea that your security posture is only as strong as your weakest link—including your cloud providers.

Updated and Reworded Question Set

Many of the assessment questions have been revised for clarity, and some now include additional requirements:

Reworded for clarity:
- “Have you reviewed your firewall rules in the last 12 months?”
- “Are all high-risk or critical security updates and vulnerability fixes for operating systems, routers, and firewall firmware installed within 14 days of release?”
New inclusions:
- Specific technologies such as Virtual Desktop Infrastructure (VDI) servers are now directly referenced in relevant questions.
Expanded detail in guidance:
- Each question now includes more thorough explanations of what’s expected, helping ensure that applicants correctly interpret and meet each requirement.

What about Cyber Essentials Plus?

The Cyber Essentials Plus assessment process is largely unchanged, but there is one important update: if your certification only applies to a specific part of your organisation (a defined sub-set rather than the entire business), your assessor must now verify that this sub-set is securely and effectively separated from the rest of the organisation.

What This Means for You?

Whether you’re a new applicant or looking to renew your certification, the Willow version represents a meaningful shift in how Cyber Essentials is applied and understood:

More alignment with modern infrastructure (especially cloud and remote environments)
Increased clarity and transparency throughout the assessment process
Stronger encouragement for secure-by-default practices, such as password-less logins and timely patching

how can we help?

At InfoShelter, we’re here to make your transition to the new Willow version of Cyber Essentials as smooth and stress-free as possible. Whether you’re applying for the first time or renewing your certification, our team of cybersecurity experts can guide you through every stage — from initial gap assessments and policy reviews to technical remediation and pre-audit checks. We ensure your systems, cloud services, and documentation meet the latest requirements, including those for Cyber Essentials Plus.

With InfoShelter by your side, you’ll be fully prepared, fully compliant, and fully confident on your path to certification.