Cyber Essentials – What’s Changing in 2025?

As discussed in our blog on Common Cyber Essentials Challenges and How to Overcome Them, it is not uncommon for organisations to misread and misunderstand the questions in the Self-Assessment Questionnaire (SAQ), and subsequently provide noncompliant answers.  In the latest version of the Cyber Essentials Question Set, IASME has changed the way questions are asked.  These changes have made the questions slightly easier to understand, with links provided alongside the questions that direct you to additional information and resources which help you to provide a compliant answer.  However, it’s important to remember that some questions may still not be 100% clear, so it is advisable to remain cautious when answering the questions and to ensure you have fully understood each question before submitting your completed SAQ.

As the name suggests, passwordless authentication is when you use authentication methods other than a password to access an account.  Any passwordless methods used must be FIDO2 compliant in order not to be assessed as a Cyber Essentials noncompliance.  FIDO2 compliant authentication methods include YubiKeys, which is plugged into the device, and certain biometric authentication (e.g., face or fingerprint recognition), such as Windows Hello.  You can usually verify whether an authentication method is FIDO2 compliant by checking the vendor’s website, as vendors will typically want to ensure customers are aware that their authentication solution is compliant with FIDO2, however you can also ask the vendor directly.

Currently, Cyber Essentials requires organisations to apply all patches fixing a high or critical-risk vulnerability within 14 days of release, and to remove any end-of-life (EOL) software.  The Willow Question Set, however, has changed the terminology used for this requirement from ‘patches and updates’ to ‘vulnerability fixes’, and you are now required to fix any vulnerability, and regardless of whether doing so requires a configuration change, registry change, etc.  This applies to configuration/registry changes with a CVSS of 7 or above, or that are high or critical risk, or where the vendor has not published information on the vulnerability’s criticality.  Certain vendors don’t want to be seen as having any serious issues, so won’t publish all of their findings or information on the criticality of the vulnerabilities they identify, and therefore all patches they release need to be applied.

There are a number of common vulnerabilities which require configuration/registry changes that will be in scope of Cyber Essentials from April, and will therefore need to be fixed to achieve/maintain compliance:

• SMBv1
• LanMan/NTLMv1
• WinVerifyTrust
• Birthday attacks against Transport Layer Security (TLS).

Fixing these vulnerabilities (and others that are in scope of Cyber Essentials) may be achievable by rolling out fixes via a group policy rather than manually fixing them on each device, however the level of ease or difficulty associated with this will be dependent on how your organisation’s estate and infrastructure is configured.

The number of issues you need to rectify to remain compliant with Cyber Essentials will be highly dependent on your estate; many organisations will only need to amend 1 issue to achieve or retain their certificate, however URM has also worked with organisations that will need to rectify 20-30 vulnerabilities (on top of patching) before they attempt to certify or recertify against Willow.  For Cyber Essentials, you will need to confirm in the SAQ that these vulnerabilities have been remediated, and for Cyber Essentials Plus, this will be confirmed in the external audit.  As such, it’s important to establish your organisation’s status regarding vulnerabilities as soon as possible.

As was the case with the previous Montpellier Question Set, you are required to remove any EOL software from your machines in order to be Cyber Essentials compliant, and having EOL software installed will result in an automatic fail.  In the coming year, a number of popular products that we frequently come across in Cyber Essentials assessments are going EOL, including:

• Windows 10 22H2 (build 19045) – All Editions (EoL date 14 Oct 2025)
• Windows 11 22H2 (build 22621) - Enterprise, Education, IoT Enterprise, and Enterprise multi-session Editions (EoL date 14 Oct 2025)
• Windows 11 23H2 (build 22631) - Home, Pro, Pro Education, and Pro for Workstations Editions (EoL date 11 Nov 2025)
• Ubuntu 20.04 LTS (Focal Fossa) – End of Standard Support in April 2025 (paid Ubuntu Pro support will continue until April 2030)
• Amazon Linux 2 – EoL date 30 Jun 2025
• VMware ESXi 7.0 – End of General Support date 2 Oct 2025
• Microsoft SQL Server 2012 SP4 – Extended Security Update end date 8 Jul 2025
• Microsoft Exchange Server 2016 and 2019 – End of Support date 14 Oct 2025.

Whilst the Willow Question Set does not represent a wholesale overhaul of Cyber Essentials, the updated requirements (particularly those relating to vulnerability fixes) may have a considerable impact on your organisation’s efforts to comply with the scheme.  And, as was required for certification against Montpellier, any software that has gone EOL at the time of your assessment will need to be removed.  As such, it’s important to fully consider how these changes will affect your organisation’s unique IT estate to ensure you are prepared for certification against Willow and to remain Cyber Essentials compliant as we move into 2025.