Cyber Essentials is a UK government-backed scheme designed to help organisations protect themselves against a wide range of common cyber threats. It provides a clear framework for implementing essential security controls, offering both reassurance to customers and a strong foundation for cyber resilience.
The Willow standard, launched in April 2025, is the latest evolution of the Cyber Essentials scheme. It introduces updated requirements that reflect the changing digital landscape and the growing sophistication of cyber risks.
At Assure Technical, we’ve been a leading Cyber Essentials Certification Body since 2016. Every day we help organisations achieve certification. Through this experience, we often come across myths that create confusion, slow progress, or lead to unnecessary spending.
Since the launch, we’ve had conversations with multiple IT managers, CISOs, and business leaders. They’re being told they must buy specific tools, replace entire systems, or adopt new technologies to comply with Willow. However, much of this advice is based on partial truths – or worse, outright misinformation.
In this article, we’ll break down the most common misconceptions about the Willow standard and help you focus on what really matters for successful and efficient compliance.
Misconception 1: Willow Brings Major Technical Overhauls
Many believe the Willow update introduces sweeping technical changes. In reality, Willow focuses on refining definitions, clarifying terminology, and providing helpful resources. For example, terms like ‘plugins’ are now called ‘extensions’ and ‘home workers’ are now ‘home and remote workers’. The update is about clarity, not complexity.
Misconception 2: Passwordless Authentication Is Now Mandatory
Some assume passwordless authentication is required. However, Willow simply recognises passwordless authentication as a valid option, alongside multi-factor authentication (MFA). Organisations can choose the method that best fits their needs, as long as it meets the standard’s security requirements.
Misconception 3: Only Patches Count as Vulnerability Fixes
There is a misconception that only software patches satisfy vulnerability remediation. Under Willow, any vendor-approved fix for a critical or high vulnerability, such as registry tweaks, configuration changes, or scripts, must be applied within 14 days. This ensures a broader, more effective approach to security.
Misconception 4: Anti-Virus Software Must Be Purchased Separately
Some IT Service Providers and Cyber Essentials Certification Bodies have started promoting specific anti-virus (AV) products as mandatory for Willow compliance. This is not accurate. The standard continues to accept native anti-malware solutions for Windows (like Microsoft Defender) and MacOS, provided they are active and up to date. For Linux, a suitable anti-malware solution is required, but open-source tools such as ClamAV can be configured to comply. There is no need to purchase commercial AV software if your current solution meets the requirements.
Misconception 5: MDM (Mobile Device Management) Is Now Required
We’ve seen some suggestions that MDM is a blanket requirement under Willow. This is misleading. The standard states you must control which applications are installed on devices, including employee-owned ones. You may use MDM software to achieve this, but it is not mandatory.
Good policies, processes, and staff training can also meet this requirement. For micro and small organisations, MDM is not expected. For medium-sized and larger organisations, MDM is generally recommended, but not explicitly required in the Cyber Essentials Willow question set or guidance.
Misconception 6: Small Businesses Are Exempt From Key Requirements
Some small organisations think the standard’s requirements do not apply to them. In fact, all businesses, regardless of size, must comply with the same baseline controls. The scheme is designed to be accessible and scalable, but it does not offer exemptions based on size.
Misconception 7: Certification Guarantees Complete Security
While achieving Cyber Essentials – whether under Willow or not – is a valuable milestone, it does not guarantee full protection against all cyber threats. Crucially, this certification reflects a point-in-time assessment. Therefore, it captures the organisation’s security posture only on the date of review.
Moreover, cyber risks are constantly evolving, which means organisations must take a proactive approach to defence. Ongoing vulnerability scanning, continuous improvement, and staff awareness are all essential. Increasingly, businesses are also turning to managed Security Operations Centres (SOC) for real-time threat detection and response. While certification demonstrates a solid commitment to best practices, it’s only one element of a wider, more robust cybersecurity strategy.
Misconception 8: The Certification Process Is Disruptive and Complicated
At Assure Technical, we often hear concerns that certification is time-consuming or disruptive. With the right support, the process can be smooth and straightforward. Our team offers unlimited guidance, jargon-free advice, and a pain-free approach, ensuring minimal interruption to your business.
Why Clarity Matters
Understanding the real requirements of the Willow Cyber Essentials standard allows organisations to focus on what truly matters – safeguarding their data and reputation. By cutting through common misconceptions, we help businesses pursue certification with greater confidence and purpose.
If you have questions about the Willow standard or need expert guidance, Assure Technical is here to support you. With a people-first approach and an outstanding 4.9 Trustpilot rating backed by hundreds of 5-star reviews, we’re proud to be recognised as one of the UK’s most trusted cybersecurity partners.
In summary:
- Willow is about clarity, not complication.
- Native AV is compliant for Windows and MacOS; Linux needs a suitable solution, but open source is acceptable.
- MDM is not mandatory for small organisations; strong policies and training can suffice.
- Don’t be pressured into buying extra tools unless they genuinely enhance your security posture.
- With the right support, achieving and maintaining Cyber Essentials certification is within reach for every organisation.
Ready to demystify Cyber Essentials and secure your organisation with confidence?
Contact Assure Technical today for expert advice, tailored support, and a seamless certification journey. Let’s protect your business together.
Or for more information on our Cyber Essentials packages and how we can help you achieve certification smoothly, please visit our Cyber Essentials service page.
Assure Technical stands for clarity, integrity, and trusted guidance in cybersecurity.
Sources:
https://iasme.co.uk/cyber-essentials/questions/willow/pdf
