Cyber Essentials Willow Update: What It Means for Your Cybersecurity

Cyber threats aren’t slowing down, and neither should your business’s defences. That’s why the Cyber Essentials certification is evolving to help businesses strengthen their managed security and overall cybersecurity support. The National Cyber Security Centre (NCSC) and IASME have recognised the need for stronger protections and are introducing an updated self-assessment questionnaire to replace the current Montpellier set.

Named Willow, the new framework comes into effect on 28th April 2025—bringing fresh changes to help businesses stay secure in an ever-changing threat landscape. This update introduces significant changes, particularly around vulnerability management, ensuring organisations are better equipped to handle cyber threats.

From support for passwordless authentication to clearer guidance for home and remote working, the new question set will help ensure businesses can meet modern security challenges head-on. In our latest blog, we break down some of its key changes, their importance, and how you can get ahead.

Key Changes in the Willow Question Set

Expanded Scope for Vulnerability Fixes

The Willow question set broadens the definition of vulnerability fixes, reinforcing the need for comprehensive managed security solutions to protect businesses. It’s not just about applying patches anymore; it includes configuration changes, registry tweaks, and scripts approved by vendors. This holistic approach ensures that organisations can address vulnerabilities through various methods, enhancing their overall security posture.

Inclusion of Remote Workers

Recognising the shift towards flexible work environments, the Willow question set now explicitly includes remote workers. Organisations must account for employees connecting from various locations, such as homes, hotels, or cafés, often using untrusted networks. This change emphasises the need for robust security measures for all remote connections.

Acceptance of Passwordless Authentication

In alignment with technological advancements, the new question set acknowledges passwordless authentication as a compliant method. Techniques such as biometrics, security keys, tokens, one-time codes, and push notifications are recognised for their potential to enhance security by reducing reliance on traditional passwords.

What to Expect from the Willow Question Set

The Willow question set aims to modernise the Cyber Essentials certification process, reflecting contemporary work practices and emerging authentication technologies by ensuring businesses implement up-to-date managed security measures and robust cybersecurity support. Here are some expectations:

• Comprehensive Vulnerability Management
  Organisations are required to implement all forms of vulnerability fixes, especially when addressing high or critical vulnerabilities. This ensures a proactive approach to closing security gaps quickly and effectively.
• Enhanced Remote Work Security
  With the inclusion of remote workers, businesses must ensure data remains secure across any untrusted location. This involves implementing strong security protocols for remote connections and ensuring software firewalls are enabled and configured correctly.
• Modern Authentication Methods
  The acceptance of passwordless authentication methods means organisations can adopt more secure and user-friendly ways to protect access. This includes using biometrics, security keys, and push notifications, which offer stronger protection than traditional passwords.

Implications for Your Organisation

Organisations aiming for Cyber Essentials certification or renewal post-April 2025 must align their cybersecurity practices with these updated requirements. This entails a thorough review and possible enhancement of current security protocols, especially concerning remote work policies, network equipment management, and authentication methods.

Navigating these updates may seem daunting, but they are essential for maintaining robust cybersecurity in today’s digital world. razorblue is here to help guide you through these challenges. Our expert team provides cybersecurity support and managed security solutions, ensuring compliance with the new Cyber Essentials certification requirements.

Stay ahead of the evolving Cyber Essentials certification standards with razorblue’s expert cybersecurity support and managed security services. Get in touch today to secure your business against evolving cyber threats.