Thursday, 27 March 2025
Get ready for Cyber Essentials 2025. The new Willow questionnaire replaces Montpellier with modern authentication, stronger controls and clearer standards.
The UK Government's Cyber Essentials scheme is evolving once again. From 28 April 2025, the new Willow self-assessment questionnaire will replace the current Montpellier version, marking a significant shift in the way organisations approach cyber security compliance. If your organisation is already certified or planning to become certified, here's what you need to know about the transition - and why now is the time to prepare.
What is Willow and Why the Change?
The Willow question set is the latest version of the Cyber Essentials standard, introduced by the National Cyber Security Centre (NCSC). It reflects the changing nature of cyber threats, modern working practices and the urgent need for stronger authentication methods and system security.
Key dates:
- Montpellier ends: 27 April 2025
- Willow starts: 28 April 2025
- Montpellier applications must be submitted by: 28 October 2025
This means you can still start an application under Montpellier until 27 April, but after that, all new certifications will follow the Willow format.
What’s Changing in Cyber Essentials?
1. Passwordless authentication is now compliant
The NCSC is actively encouraging a move away from password-based authentication, which is increasingly seen as insecure. Willow supports more modern, secure methods such as:
- Passkeys
- Biometrics
- Security tokens
- One-time passcodes
- Push notifications
Passwordless methods are now accepted in responses to questions about firewall configuration, external services and protection against brute force attacks.
2. From "Patches" to "Vulnerability Fixes"
The language is changing to reflect a broader understanding of how organisations address threats. The new terminology includes:
- Software patches
- Registry fixes
- Configuration changes
These are now all covered under the term "vulnerability fixes" and should be applied when recommended by the operating system or software vendor.
3. Updated Scope & Evidence Requirements
Willow places more emphasis on defining and evidencing the scope of the assessment. Expect:
- Clearer requirements on what is in and out of scope
- Broader exclusion statements
- Stronger evidence expectations
4. Stronger Controls for Firewalls & Remote Workers
- Clarifications on firewalls and routers, especially for remote or home workers
- Explicit inclusion of remote workers in the risk assessment
- Strengthened requirements for regular review and management of firewall rules
5. Least Privilege Principle
Now Mandatory Organisations must now confirm that users only have access to what they need to do their job, reinforcing the principle of least privilege.
What about Cyber Essentials Plus?
The Cyber Essentials Plus test specification is also being updated, with confirmation expected in January 2025. These changes aim to provide greater assurance to customers, and a clearer view of an organisation's cyber security posture.
What should you do now?
If you're planning to certify or renew under the current Montpellier question set, you need to act soon: you must start by 27 April 2025 and submit by 28 October 2025.
If you're aiming for Willow, now is the time to review your internal controls, authentication methods and security update policies to make sure you're ready.
Need help navigating the changes? We're here to support you.
At Grant McGregor, we're proud to be an accredited Cyber Essentials Certification Body with one of only eight Certified Cyber Advisors in Scotland. Our team of experienced Cyber Assessors can help you understand what the new Willow standard means for your business and ensure you're fully prepared.
Let's talk.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
