Latest update for Cyber Essentials – Willow questionnaire from April 2025

By James Galbraith, Cyber Essentials Assessor

There will be some important changes with the release of the Cyber Essentials Willow question set in April 2025.

The government partner IASME, in consultation with Certification Bodies including Indelible Data, conducts an annual review of the scheme.

Notable changes will occur in the following areas:

Home workers

Clarification on the CE Requirements around home working, which has been changed to home and remote working, to reflect modern day requirements to work within untrusted networks such as cafes and hotels.

Network equipment

Applicants are now guided to only list relevant network equipment and will hopefully stop the unnecessary inclusion of hubs and switches:

  • A2.8 Please provide a list of network equipment that will be in scope for this assessment (including firewalls and routers). You must include make and model of each device listed. You should include all equipment that controls the flow of data to and from the internet. This will be your routers and firewalls.

Passwordless authentication.

Logging in without needing to enter a password is now accepted within the scheme and is only compliant if it follows accepted methods such as:  Biometric authentication; Security keys or tokens; One-time codes and Push notifications. Read more guidance on the NCSC’s website here.

The following questions may now be answered in terms of passwordless authentication:

  • A4.3 How is your firewall password configured?
  • A5.5 If you run or host external services that provide access to data (that shouldn’t be made public) to users across the internet, which authentication option do you use?
  • A7.10.Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?

 

Security updates

Software updates must now be addressed by applying configuration changes and/or registry fixes, if instructed by the vendor, to mitigate a high-risk vulnerability. This enhances the previous iteration of the scheme where only software updates/patches needed to be applied. This change is now included in the following question:

  • A6.4 Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

Access control

The scheme now clearly references least privilege access. Least privilege access ensures that your users have the minimum permissions required to perform their job role:

  • A7.4 Do you ensure that staff only have the privileges that they need to do their current job? How do you do this? When a staff member changes job role you may also need to change their permissions to only access the files, folders and applications that they need to do their day-to-day work. For Cyber Essentials we require that the principle of least privilege be applied.

April will also bring with it changes to the Cyber Essentials and Cyber Essentials Plus test specifications which will be the subject of a further blog soon.