Cyber Essentials 2025 Updates

As cybersecurity risks evolve, so too must the standards and frameworks designed to protect organisations. In April 2025, the National Cyber Security Centre (NCSC) introduced updated Cyber Essentials requirements (version 3.2) and a new self-assessment questionnaire called Willow, replacing the previous Montpellier set.

For any business or organisation seeking certification (or renewal), adapting early is key. Below is a step-by-step guide to help you navigate the transition and be well prepared.

What’s Changed in the 2025 Update (v3.2 / Willow)

Before diving into how to prepare, it’s essential to understand the changes. While many updates focus on clarification and consistency, they still carry compliance implications that should not be overlooked.

The Willow Question Set

The Montpellier question set is being retired, and all new Cyber Essentials assessments from 28 April 2025 will use the Willow questionnaire. This is a more streamlined and better-structured approach designed to reflect modern working practices and terminology.

Terminology Updates

Several terms have been refined to make the scope more straightforward:

“Plugins” are now “Extensions” – This change ensures clarity on which add-ons or modules to applications and browsers must be included in your security management.
“Home working” is now “Home and remote working” – Expands the requirement to cover all scenarios where staff connect remotely, not just from home but also cafés, hotels, or other public spaces.
“Patches/Updates” are now “Vulnerability Fixes” – This broader term includes patches, registry edits, configuration changes, and even vendor-supplied scripts. It emphasises that organisations must remediate vulnerabilities using whatever fix the vendor provides.

Passwordless Authentication

The update officially enables passwordless authentication, including biometrics or FIDO2 security keys. This aligns with modern security trends and reduces the risk of credential theft.

Plus Test Specification Changes

Cyber Essentials Plus has also been updated. The test specification has been renamed and expanded to include more precise requirements for scope validation, device sampling, and segregation. This means auditors will apply more rigorous checks to ensure that your technical audit aligns with the scope defined in your self-assessment.

End of Life Software

Software and systems that have reached the end of life (EOL) are still not permitted. Any such systems must be replaced or removed from the environment to remain compliant.

Overall, these changes are evolutionary rather than revolutionary; however, they do require attention to detail and careful preparation.

Timeline & Important Dates

28 April 2025 – All new Cyber Essentials and Cyber Essentials Plus assessments move to v3.2 / Willow.
Before 28 April 2025 – You may still begin certification under Montpellier, but submissions must be made by 28 October 2025.
After October 2025 – All applications must comply with the Willow question set and version 3.2 requirements.

Step-by-Step: How to Prepare Your Organisation

1. Review the Updated Documentation

Download the Requirements for IT Infrastructure v3.2, the new Willow question set, and the updated Cyber Essentials Plus Test Specification from IASME or the NCSC. Compare these with your current documentation and policies to ensure alignment.

2. Perform a Gap Analysis

Assess your current security measures against the new requirements. Focus on:

– Authentication (are you password-only anywhere? Do you need to adopt MFA or passwordless methods?)
– Vulnerability management (are you only patching, or do you also apply registry and configuration fixes?)
– Remote working security (does your policy cover all scenarios outside the home office?)
– EOL systems (are any still in use?)
– Segmentation and scope clarity (for Plus audits).

3. Upgrade or Adapt Controls

– Introduce passwordless authentication where possible.
– Strengthen vulnerability management processes to include all forms of vendor-supplied fixes.
– Replace or retire end-of-life systems.
– Improve remote working controls, such as VPN enforcement and endpoint security.
– Document scope and ensure segregation is clear for Plus testing.

4. Update Policies and Procedures

Revise internal documents to reflect the new terminology:

– Use “extensions” instead of “plugins”.
– Refer to “home and remote working” rather than just home working.
– Update patching policies to cover the broader concept of “vulnerability fixes”.

5. Train Staff

Educate staff on the changes, especially regarding passwordless logins, prompt remediation, and secure remote working. Train IT staff on applying non-traditional fixes (registry/config changes).

6. Conduct a Dry Run

Run through the Willow questionnaire internally and simulate the sampling checks used in Cyber Essentials Plus. This will highlight any weak areas that need to be resolved before the actual audit.

7. Work With a Certification Body

Engage an accredited certification body early, particularly one already experienced with the Willow updates. They can help interpret tricky points and validate your preparation.

Best Practices for a Smooth Transition

– Start preparing now; don’t wait until your certification renewal date.
– Keep evidence (tickets, logs, scripts, reports) ready for auditors.
– Prioritise remediation for high-risk systems and vulnerabilities.
– Continuously review compliance between now and April 2025 to avoid drift.
– Stay informed by monitoring IASME and NCSC for further updates or clarifications.

Summary

The 2025 update to Cyber Essentials (v3.2) introduces a new Willow questionnaire, updated terminology, and clearer expectations for remote working, vulnerability management, and passwordless authentication. While the changes aren’t drastic, organisations must adapt their policies, technical controls, and audit readiness to remain compliant.

By acting early—reviewing the documentation, performing a gap analysis, and upgrading your processes—you can ensure a smooth transition and maintain your certification with confidence.

Do you need the best IT Support and Maintenance for your business?

You need the best IT support in London. Technology is complicated and expensive. It’s so hard to maintain everything and know what to do when something breaks or goes wrong. IT problems can put a damper on your day. They’re frustrating, time-consuming, and seem like a never-ending cycle of issues.

Why you should choose Penntech IT Solutions

Customer Satisfaction Levels/NPS Score

Penntech’s average NPS score over 90 days is 84. The average Net Promoter Score (NPS) for IT Managed Service Providers (MSPs) can vary. Still, an NPS of around 50 is considered excellent in this industry, with scores above 70 exceptional and rare.

No lengthy contract tie-ins and a trial period

We offer our services on a trial basis for the first three months because we’re confident in our delivery and approach.

Comprehensive 24/7 IT Support

Penntech offers a wide range of IT services, from strategic project management to 24/7 remote support, ensuring all your IT needs are always covered.

Cybersecurity Expertise

We provide advanced cybersecurity measures and expertise, including penetration testing services and Cyber Essentials, to protect clients from cyber threats.

Scalability

We offer Clients the ability to scale IT services up or down based on their needs. This flexibility is crucial for businesses that experience seasonal changes or rapid growth.

Tech Focus, not Sales Focus

Other providers often enforce their preferred IT stack, but we don’t, as IT is not a one-size-fits-all solution.

Disaster Recovery and Backup Solutions

We ensure our Clients’ business continuity through robust disaster recovery and backup solutions.

Expertise Across Industries

With experience in various verticals and industries, Penntech understands different businesses’ unique IT challenges and can provide customised solutions..

Contact us today or explore the range of support packages on offer.