Key Changes to Cyber Essentials V15 ‘Willow’

The Cyber Essentials scheme, a crucial UK government-backed initiative for cyber security certification, is evolving. Organisations seeking to demonstrate their commitment to cyber security and achieve Cyber Essentials or Cyber Essentials Plus certification need to be aware of the upcoming changes. This blog post will outline the key updates as version 15 “Willow” replaces version 14 “Montpellier” on April 28th, 2025.

The most significant change is the update from version 14, known as “Montpellier,” to version 15, named “Willow.” While this may seem like a simple version update, it encompasses numerous detailed modifications to the Cyber Essentials requirements. These changes aim to ensure the scheme remains relevant and effective in addressing the evolving cyber threat landscape.

Based on our analysis of the IAMSE provided comparison table, here are the key differences between the “Montpellier” and “Willow” question sets:

• Scope and Definitions:
  • Willow expands the scope to include more detailed reporting and ensures that all aspects of the IT infrastructure, including cloud services and end-user devices, are included within the assessment.
  • Willow clarifies definitions, especially for “software,” which now includes firmware, and expands on the definition of “vulnerability fixes” to include various mechanisms, including configuration changes and registry fixes.
  • Willow refines the definition of “home working” to “home and remote working” to encompass a wider range of modern work environments, including untrusted networks.
• Network Equipment:
  • Willow requires a more specific listing of network equipment, focusing only on firewalls and routers (including their make and model).
  • Montpellier allowed for a less specific list of network equipment, potentially including devices like hubs and switches.
• Vulnerability Management:
  • Willow emphasises ensuring all in-scope software and cloud services are properly licensed and that all vulnerabilities are addressed, regardless of whether it’s a patch, update, configuration change, or registry fix.
  • Montpellier focused on patching high or critical-risk vulnerabilities within a specific timeframe, potentially overlooking other methods of vulnerability mitigation.
• Access Control and Least Privilege:
  • Willow reinforces the principle of least privilege, requiring staff to have only the necessary access rights for their current job functions.
  • Montpellier also emphasised user access control, but the updated requirements in Willow are more stringent.
• Passwordless Authentication:
  • Willow explicitly acknowledges and accepts passwordless authentication methods (biometrics, security keys/tokens, etc.) as equivalent to password-based authentication.
  • Montpellier primarily focused on password-based authentication, with limited recognition of passwordless methods.

In essence, Willow represents an evolution of the Cyber Essentials standard, aiming to:

• Reflect modern work environments and authentication methods.
• Improve clarity and guidance for organisations.

Enhance cyber security by addressing more comprehensive threats and vulnerabilities.

Navigating the complexities of Cyber Essentials can be challenging. Collective Security, a leading information and cyber security company, offers comprehensive services to assist organisations in achieving Cyber Essentials and Cyber Essentials Plus certification. Our experienced consultants can:

• • Provide expert guidance on the Cyber Essentials requirements, including the changes introduced in version 15 “Willow.”
  • Conduct thorough assessments of your current cyber security posture.

• Identify any gaps and recommend effective remediation strategies.
• Assist with the implementation of necessary controls and processes.
• Prepare your organisation for the Cyber Essentials assessment, ensuring a smooth and successful certification process.

By partnering with Collective Security, organisations can streamline the certification process, minimise disruption to their operations, and strengthen their overall cyber security resilience.