Cyber Essentials, the cyber security framework that is owned by the UK Government, NCSC and ran by IASME is coming up for a refresh on the 28th April 2025. The Cyber Essentials scheme undergoes reviews every few years so that it can remain relevant to businesses and safeguard you against the latest threats.
So, although there is a change coming, there’s nothing really to worry about for the most part. The Cyber Essentials Basic self-assessment certification is undergoing a few small changes, the Cyber Essentials Plus audits, however, will likely have the biggest impact to you.
If you are signed up to Cyber Essentials before the 28th April 2025, you will stay on the Montpellier question set. You have a maximum of 6 months to complete this. If you move to Cyber Essentials Plus, you will be audited against the Montpellier testing requirements.
What are the changes and how will they impact you moving forward?
Firstly, the new version of Cyber Essentials will be called Willow and the IT Requirements document for IT Infrastructure document will also be updated to version 3.2. It is recommended that this document is reviewed to ensure that you know what is required of you to comply with the technical controls.
The questions for Cyber Essentials can be found on the IASME website here: https://iasme.co.uk/cyber-essentials/free-download-of-self-assessment-questions/
The changes that are coming in are as follows:
Terminology changes and question tweaks
Within the question set there are some terminology changes and some tweaking of the questions to ensure that the scheme is making people think and ensuring that the questions are easier to understand.
Passwordless
Passwordless is now defined and a description of what it is has been added to the requirements, moving forward, it is expected that passwordless will be used more and more moving forward. Now is the time to embrace change and get your business updated. There is some information located in the IT Requirements document which will help you understand the requirements here.
Vulnerability fix and update management
A vulnerability fix definition has been created and is now used within the question set and the IT requirements document. This is primarily around the issues of patching and updating machines and protecting against vulnerabilities. Now if there is a security update available, you must apply it, even if it involves configuration work. This could mean going into the registry and changing values, updating configuration files or any other method to fix a security issue mentioned by the vendor.
Home / remote working
The references to home working have now been changed to home and remote working, to take into account anyone who is not in the office, is working either at home or remotely.
Changes to the question set
There will now be links to the IASME knowledge hub for questions, giving you more information and advice on what is expected for an answer. This should help to remove any confusion moving forward.
The relevant requirements that are being referenced will also appear alongside the question.
Cyber Essentials Plus
When you undergo a Cyber Essentials Plus audit against the Willow question set, there are only small changes which will likely impact you from previous versions. The first being update management. Like with Cyber Essentials Basic, you will need to ensure that all security updates are applied which are a CVSS v3 score of 7.0 or above and have been released within 14 days. The biggest issue here maybe with any troublesome implementations for the security updates and configuration. For example if you need to update configuration files or registry for fixes.
There is a 72 hour, three working day notification window for the certification body to issue a request of what devices they will see as part of their sample set. The customer or applicant undergoing the audit must present these devices as part of the audit.