Major updates in the Willow question set & how to stay compliant
As of April 28, 2025, significant changes are coming to the Cyber Essentials certification with the introduction of the Willow Question Set, replacing the previous Montpellier version. These updates aim to enhance cybersecurity measures and reflect modern working practices, directly impacting SMEs preparing for their next certification review.
Key changes in the Willow question set:
- Scope Clarification: The new guidelines explicitly include all devices accessing organizational data or services, even those connecting via cloud services. This means SMEs must ensure that every device, regardless of its connection method, is accounted for in the assessment scope.
- Firewall Management: Organizations must now list all firewalls and routers in the network equipment section. Additionally, there’s an emphasis on ensuring that home and remote workers utilise software firewalls, underscoring the importance of regularly reviewing firewall rules.
- Passwordless Authentication: The updated standards accept passwordless authentication methods, such as biometric authentication, security keys, one-time codes, and push notifications, provided they adhere to recognized standards. This offers SMEs flexibility in implementing secure access controls.
- Vulnerability Fixes: The terminology has shifted from “patching” to “vulnerability fixes,” encompassing not only software updates but also configuration or registry changes necessary to remediate high or critical vulnerabilities. SMEs must be vigilant in addressing these fixes promptly.
- Language Updates: Terms have been updated for clarity, such as changing “plugin” to “extension” and expanding “home working” to “home and remote working,” reflecting the diverse environments in which employees operate.
How SMEs Can Prepare for These Changes
Adapting to these changes requires SMEs to:
- Manage Devices Effectively: Ensure all devices accessing company data are secure and included in the assessment scope.
- Maintain Strong Firewall Policies: Keep an up-to-date inventory of network equipment and enforce stringent firewall configurations, especially for remote workers.
- Implement Modern Authentication: Consider adopting passwordless authentication methods that comply with recognized security standards.
- Stay on Top of Vulnerabilities: Regularly apply necessary fixes, including configuration changes, to address high-risk vulnerabilities promptly.
Need Help with Cyber Essentials Compliance?
Navigating these updates can be complex and time-consuming. At One2Call Ltd, we offer a Cyber Essentials management service tailored for SMEs. Our service assists businesses in achieving and maintaining Cyber Essentials certification annually for a single fee that covers the cost of certification.
Let us handle the intricacies of compliance, so you can focus on growing your business with confidence.
📞 Contact us today to learn how we can simplify your Cyber Essentials journey.
Chat with us: bit.ly/one2call-chat
WhatsApp us: 07401 142 303
Call us: 0114 230 0080