+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

Cyber Essentials – What’s Changed in the Latest Willow Question Set?

cyber essentials, cyber essentials, iasme, willow

Recently, IASME has introduced their latest Willow question set for the NCSC Cyber Essentials Self-Assessment Certification, which will replace the current (Montpelier) questions on the 28th April, 2025. The updates in Willow reflect evolving cybersecurity needs, incorporating more detailed and specific questions to help organisations better protect themselves from cyber threats. Here are some key changes that you can expect in the Willow question set if you’re renewing your Cyber Essentials certification or certifying for the first time from 28th April next year:

Scope Clarification
 

The latest Willow question set for Cyber Essentials introduces clearer guidelines on what must be included within the scope of assessment, particularly around the inclusion of end-user devices and mobile devices. The new set emphasises that all user devices that access organisational data or services must be included, even if they connect to cloud services, whereas Montpelier had fewer explicit references to cloud services.

Device Listings

 

In Willow, there is more granularity when listing device types, especially with the operating systems. For example, question A2.4 in Willow requests more specific versions of operating systems, including feature versions for Windows devices, and includes guidance for listing thin clients and servers with operating systems. This change aims to ensure that organisations are fully transparent about the security configurations across all devices.

Focus on Thin Clients

 

The Willow question set increases focus on thin clients, which are simplified devices used to connect to virtual desktops. It highlights the security risks associated with modifying thin clients and mandates that they be regularly supported with security updates.

Software Firewalls

 

The Willow question set expands on the importance of software firewalls, especially for remote and home workers, ensuring that devices are protected when not connected to corporate networks. It stresses the importance of ensuring software firewalls are enabled and configured correctly on all end-user devices, a topic that was addressed in Montpelier, but now with added focus on software configurations and remote work security.

Cloud Services

 

In the Willow question set, there is a clearer mandate to include all cloud services in scope, regardless of their type (IaaS, PaaS, or SaaS), ensuring that organisations can’t exclude any cloud-based platforms. This aligns with the growing reliance on cloud infrastructure. Montpelier included cloud services but provided less comprehensive definitions or requirements on this aspect.

Password Policies and Authentication

 

The Willow question set delves deeper into password management, requiring organisations to choose more secure password configurations. Multi-Factor Authentication (MFA) is now given greater prominence as a requirement for securing external services. The new set also introduces stricter guidance on blocking common passwords and throttling login attempts to protect against brute force attacks, which were less elaborated in the Montpelier set.

Firewall Management

 

Both Montpelier and Willow discuss the configuration and management of firewalls, but Willow has enhanced questions around boundary firewall configurations and reviews. It also insists on stronger documentation and approval processes for inbound firewall connections, ensuring that exceptions are carefully managed and justified.

Cyber Breach Reporting

 

The revised Willow question set adds more explicit references to breach reporting and post-breach communication, reflecting an increased focus on learning from incidents to improve security posture.

Insurance Eligibility

 

One of the more subtle but important change in Cyber Essentials Willow question set is the expansion of questions regarding eligibility for automatic cyber insurance. This version provides clearer conditions under which an organisation can opt into insurance and the need for transparency in reporting turnover and other financial information.

Conclusion

 

The shift from Montpelier to Willow in the Cyber Essentials Self-Assessment shows a greater emphasis on transparency, modern infrastructure (including cloud and remote working), and more stringent security measures. Organisations undergoing certification will need to be more detailed in their reporting and ensure all aspects of their IT infrastructure, especially cloud services and end-user devices, are included within scope and protected by up-to-date security measures. These changes reflect the growing complexity of the cybersecurity landscape, ensuring that organisations adopting the Cyber Essentials standard are better equipped to handle modern cyber threats.

Find out more

 

To find out more about what you can expect in the latest Willow Cyber Essentials question set and other changes to be expected from 28th April 2025, you can download the updated documents from the IASME website at the following links:

Get Cyber Essentials Certified Today

 

At SecureTeam, we pride ourselves on being a trusted partner for businesses looking to achieve Cyber Essentials or Cyber Essentials Plus certification. Our experienced consultants guide organisations through every step of the process, from the initial assessment right through to the final certification. Whether it’s helping you navigate the self-assessment for Cyber Essentials or conducting the technical audit required for Cyber Essentials Plus, our team ensures that you meet all the necessary requirements for the Cyber Essentials Scheme.

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.