Get ready for Cyber Essentials 2025. The new Willow questionnaire replaces Montpellier with modern authentication, stronger controls and clearer standards.
The UK Government's Cyber Essentials scheme is evolving once again. From 28 April 2025, the new Willow self-assessment questionnaire will replace the current Montpellier version, marking a significant shift in the way organisations approach cyber security compliance. If your organisation is already certified or planning to become certified, here's what you need to know about the transition - and why now is the time to prepare.
The Willow question set is the latest version of the Cyber Essentials standard, introduced by the National Cyber Security Centre (NCSC). It reflects the changing nature of cyber threats, modern working practices and the urgent need for stronger authentication methods and system security.
This means you can still start an application under Montpellier until 27 April, but after that, all new certifications will follow the Willow format.
The NCSC is actively encouraging a move away from password-based authentication, which is increasingly seen as insecure. Willow supports more modern, secure methods such as:
Passwordless methods are now accepted in responses to questions about firewall configuration, external services and protection against brute force attacks.
The language is changing to reflect a broader understanding of how organisations address threats. The new terminology includes:
These are now all covered under the term "vulnerability fixes" and should be applied when recommended by the operating system or software vendor.
Willow places more emphasis on defining and evidencing the scope of the assessment. Expect:
Now Mandatory Organisations must now confirm that users only have access to what they need to do their job, reinforcing the principle of least privilege.
The Cyber Essentials Plus test specification is also being updated, with confirmation expected in January 2025. These changes aim to provide greater assurance to customers, and a clearer view of an organisation's cyber security posture.
If you're planning to certify or renew under the current Montpellier question set, you need to act soon: you must start by 27 April 2025 and submit by 28 October 2025.
If you're aiming for Willow, now is the time to review your internal controls, authentication methods and security update policies to make sure you're ready.
At Grant McGregor, we're proud to be an accredited Cyber Essentials Certification Body with one of only eight Certified Cyber Advisors in Scotland. Our team of experienced Cyber Assessors can help you understand what the new Willow standard means for your business and ensure you're fully prepared.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us