Recently, IASME has introduced their latest Willow question set for the NCSC Cyber Essentials Self-Assessment Certification, which will replace the current (Montpelier) questions on the 28th April, 2025. The updates in Willow reflect evolving cybersecurity needs, incorporating more detailed and specific questions to help organisations better protect themselves from cyber threats. Here are some key changes that you can expect in the Willow question set if you’re renewing your Cyber Essentials certification or certifying for the first time from 28th April next year:
Scope Clarification
The latest Willow question set for Cyber Essentials introduces clearer guidelines on what must be included within the scope of assessment, particularly around the inclusion of end-user devices and mobile devices. The new set emphasises that all user devices that access organisational data or services must be included, even if they connect to cloud services, whereas Montpelier had fewer explicit references to cloud services.
Device Listings
In Willow, there is more granularity when listing device types, especially with the operating systems. For example, question A2.4 in Willow requests more specific versions of operating systems, including feature versions for Windows devices, and includes guidance for listing thin clients and servers with operating systems. This change aims to ensure that organisations are fully transparent about the security configurations across all devices.
Focus on Thin Clients
The Willow question set increases focus on thin clients, which are simplified devices used to connect to virtual desktops. It highlights the security risks associated with modifying thin clients and mandates that they be regularly supported with security updates.
Software Firewalls
The Willow question set expands on the importance of software firewalls, especially for remote and home workers, ensuring that devices are protected when not connected to corporate networks. It stresses the importance of ensuring software firewalls are enabled and configured correctly on all end-user devices, a topic that was addressed in Montpelier, but now with added focus on software configurations and remote work security.
Cloud Services
In the Willow question set, there is a clearer mandate to include all cloud services in scope, regardless of their type (IaaS, PaaS, or SaaS), ensuring that organisations can’t exclude any cloud-based platforms. This aligns with the growing reliance on cloud infrastructure. Montpelier included cloud services but provided less comprehensive definitions or requirements on this aspect.
Password Policies and Authentication
The Willow question set delves deeper into password management, requiring organisations to choose more secure password configurations. Multi-Factor Authentication (MFA) is now given greater prominence as a requirement for securing external services. The new set also introduces stricter guidance on blocking common passwords and throttling login attempts to protect against brute force attacks, which were less elaborated in the Montpelier set.
Firewall Management
Both Montpelier and Willow discuss the configuration and management of firewalls, but Willow has enhanced questions around boundary firewall configurations and reviews. It also insists on stronger documentation and approval processes for inbound firewall connections, ensuring that exceptions are carefully managed and justified.
Cyber Breach Reporting
The revised Willow question set adds more explicit references to breach reporting and post-breach communication, reflecting an increased focus on learning from incidents to improve security posture.
Insurance Eligibility
One of the more subtle but important change in Cyber Essentials Willow question set is the expansion of questions regarding eligibility for automatic cyber insurance. This version provides clearer conditions under which an organisation can opt into insurance and the need for transparency in reporting turnover and other financial information.
Conclusion
The shift from Montpelier to Willow in the Cyber Essentials Self-Assessment shows a greater emphasis on transparency, modern infrastructure (including cloud and remote working), and more stringent security measures. Organisations undergoing certification will need to be more detailed in their reporting and ensure all aspects of their IT infrastructure, especially cloud services and end-user devices, are included within scope and protected by up-to-date security measures. These changes reflect the growing complexity of the cybersecurity landscape, ensuring that organisations adopting the Cyber Essentials standard are better equipped to handle modern cyber threats.
Find out more
To find out more about what you can expect in the latest Willow Cyber Essentials question set and other changes to be expected from 28th April 2025, you can download the updated documents from the IASME website at the following links:
- Download the Willow Cyber Essentials Question Set (PDF)
- Download the Willow Cyber Essentials Question Set (Excel)
- Download the latest NCSC Requirements for Infrastructure (Version 3.2)
- Download the Willow Cyber Essentials Test Specification
Get Cyber Essentials Certified Today
At SecureTeam, we pride ourselves on being a trusted partner for businesses looking to achieve Cyber Essentials or Cyber Essentials Plus certification. Our experienced consultants guide organisations through every step of the process, from the initial assessment right through to the final certification. Whether it’s helping you navigate the self-assessment for Cyber Essentials or conducting the technical audit required for Cyber Essentials Plus, our team ensures that you meet all the necessary requirements for the Cyber Essentials Scheme.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)