An overview of the key implications from Assure Technical.
From 28 April 2025, the UK Government’s Cyber Essentials scheme will introduce a major update, known as the ‘Willow’ question set. This update reflects the rapidly evolving cyber threat landscape. It also brings the scheme in line with modern technologies and working practices, such as passwordless authentication and widespread remote working.
As an accredited Cyber Essentials Certification Body, Assure Technical is here to help you navigate these changes with confidence. Whether you’re applying for the first time or renewing your certification, understanding the impact of these updates – both technical and operational – is essential.
In this article, we outline the key changes introduced by the Willow update, what they mean in practice, and what actions you need to take.
Passwordless Authentication: Simplifying Secure Access
What’s Changing?
The latest Cyber Essentials Requirements for Infrastructure (v3.2) now include Passwordless Authentication. This method replaces traditional passwords with secure alternatives such as biometric data, physical tokens, one-time codes, or push notifications. If implemented correctly, it always uses more than one factor and aligns with the standard’s definition of multi-factor authentication.
What This Means for Your Organisation?
You don’t need to make changes if you’re still using passwords. However, passwordless authentication is now officially recognised as compliant and can be adopted without concern.
What Should I Do?
- Continue promoting strong, non-guessable password creation for password-based systems.
- If you’re using passwordless methods, clearly record this in your Verified Self-Assessment Questionnaire (VSAQ).
Vulnerability Fixes: Making You More Secure
What’s Changing?
The term ‘patches and updates’ is being replaced with ‘vulnerability fixes’. This new definition goes beyond software updates. It includes configuration changes, registry edits, and vendor-supplied scripts – provided they’re recommended as fixes.
What Does This Mean for Me?
You must now apply all vendor-advised fixes rated High or Critical – not just security patches. Relying on automatic updates alone is no longer enough.
What Should I Do?
- Subscribe to vendor notifications for all key software products.
- Stay informed about new vulnerability fixes, including non-patch solutions.
Verification of Scope: Making Sure We Get It Right
What’s Changing?
During a Cyber Essentials Plus audit, assessors must now verify the scope recorded in your VSAQ. This includes checking devices, networks, and controls to ensure everything is accurate.
What Does This Mean for Me?
At the start of your audit, your assessor may run scans, request additional evidence, or review firewall configurations. Minimal extra work should be required, but incorrect scope details may cause delays.
What Should I Do?
- Maintain a detailed, up-to-date asset register – including personal (BYOD) devices.
- Double-check Section 2 (Scope) of your VSAQ for accuracy.
- Print device lists from your asset management software, if available.
- Ensure someone can access your firewall settings, if needed for verification.
Key Takeaways: Preparing for ‘Willow’
- Check for Passwordless Authentication – If you use it, record it clearly in your VSAQ.
- Track Vulnerability Fixes – Subscribing to vendor alerts makes this easier.
- Define Your Scope Accurately – Know your assets to protect them effectively.
- Engage Early with your Certification Body – Working with qualified Cyber Essentials Plus Lead Assessors like those at Assure Technical will help you avoid last-minute surprises.
Looking Ahead: Why These Changes Matter
The Willow update reflects a shift towards more practical, real-world cyber security expectations. Organisations must show not just technical compliance, but also operational responsibility and a clear, proactive approach to cyber risk.
Pete Lannon, Technical Director, Assure Technical says: “The changes introduced in the Cyber Essentials ‘Willow’ question set bring several important and timely improvements to the standard. Beyond updated wording that better reflects modern working practices and technologies, the shift towards a more practical approach – focusing on fixing vulnerabilities rather than just applying patches – will help organisations improve their overall security. Additionally, the new requirement to technically verify the scope during Cyber Essentials Plus audits ensures nothing is overlooked when it comes to protecting your organisation.“
At Assure Technical, we’re here to support you through every stage of the Cyber Essentials journey. If you have questions about the Willow update or how it affects your certification, get in touch with our team for expert guidance.
