Cyber Essentials Update: What ‘Willow’ Means for Your Business

The Cyber Essentials certification is set to undergo significant enhancements with the introduction of the Willow question set, effective from 28th April 2025. This update, orchestrated by the National Cyber Security Centre (NCSC) and IASME, aims to modernise the certification process, reflecting contemporary work practices and emerging authentication technologies.

Key Updates in the Willow Question Set

1. Inclusion of Remote Workers

Recognising the shift towards flexible work environments, the Willow question set now explicitly includes remote workers. Organisations must account for employees connecting from various locations, such as homes, hotels, or cafes, often using untrusted networks. This change emphasises the need for robust security measures for all remote connections.

2. Cyber Essentials Plus Scope Verification

The Cyber Essentials Plus assessor must verify the scope of the assessment matches the self-assessment by ‘technical means.’ This means we will need to have access to asset registers, or exports from systems such as Microsoft Intune or the remote management systems if used.

3. Cyber Essentials Plus Sub-Set Verification

Where the scope is not the ‘whole organisation’, the Cyber Essentials Plus assessor must verify that sub-sets have been effectively segregated by ‘technical means.’

This means the assessor will need to inspect firewall or switch access control lists (ACLs), or performing an NMAP scan between VLANs, subnets or zones to verify.

4. Vulnerability Management

The Willow update emphasises a broader approach to vulnerability management. Organisations are now required to implement all forms of vulnerability fixes, including configuration changes and registry adjustments, especially when addressing high or critical vulnerabilities. This holistic strategy ensures that all potential security gaps are promptly and effectively mitigated.

5. Acceptance of Passwordless Authentication

In alignment with technological advancements, the new question set acknowledges passwordless authentication as a compliant method. Techniques such as biometrics, security keys, tokens, one-time codes, and push notifications are recognised for their potential to enhance security by reducing reliance on traditional passwords.

Implications for Your Organization

Organisations aiming for Cyber Essentials certification or renewal post-28th April 2025 must align their cybersecurity practices with these updated requirements. This entails a thorough review and possible enhancement of current security protocols, especially concerning remote work policies, network equipment management, and authentication methods.

Protos Networks: Your Partner in Cybersecurity Compliance

Navigating these updates may seem daunting, but Protos Networks is here to assist. Our team of cybersecurity experts is dedicated to helping your organisation seamlessly transition to the new standards. We offer comprehensive services, including:

• Policy Review and Development: Ensuring your security policies meet the latest Cyber Essentials requirements.
• Network and Security Assessments: Evaluating and enhancing your network infrastructure to safeguard against emerging threats.
• Authentication Solutions Implementation: Integrating advanced authentication methods, including passwordless options, to improve your security posture.

Take Action Today

Stay ahead of the curve and ensure your organisation is prepared for the upcoming changes. Contact Protos Networks today to schedule a consultation and take the first step towards achieving and maintaining Cyber Essentials and Cyber Essentials Plus certification under the new Willow standards.

0333 370 1353 or contact [email protected]