Cyber Essentials – What’s Changing in 2025?

Amarjit Sandhu
|
Cyber Security Analyst at URM
|
PUBLISHED on
14 Nov
2024

In September 2024, IASME, the National Cyber Security Centre’s (NCSC’s) scheme delivery partner, released the latest version of the Cyber Essentials Question Set, Willow, which will come into effect on 28 April 2025.  IASME has described the changes in Willow and the Cyber Essentials Requirements for IT Infrastructure document V3.2 as ‘fairly minor’, however it is vital for organisations certifying or recertifying to the scheme to ensure that they understand the changes far ahead of their certification against the new Question Set, as some may have a significant impact.

In this blog, Amarjit Sandhu, Cyber Security Analyst at URM, discusses the Willow Question Set and other Cyber Essentials-related changes coming up in the next year.  This blog is based on a 2024 URM webinar, delivered by Amarjit and hosted by Lauren Gotting, New Business Director at URM, in which they provided insights and guidance on how to achieve Cyber Essentials certification.

Rewording of Questions

As discussed in our blog on Common Cyber Essentials Challenges and How to Overcome Them, it is not uncommon for organisations to misread and misunderstand the questions in the Self-Assessment Questionnaire (SAQ), and subsequently provide noncompliant answers.  In the latest version of the Cyber Essentials Question Set, IASME has changed the way questions are asked.  These changes have made the questions slightly easier to understand, with links provided alongside the questions that direct you to additional information and resources which help you to provide a compliant answer.  However, it’s important to remember that some questions may still not be 100% clear, so it is advisable to remain cautious when answering the questions and to ensure you have fully understood each question before submitting your completed SAQ.

Passwordless Options

As the name suggests, passwordless authentication is when you use authentication methods other than a password to access an account.  Any passwordless methods used must be FIDO2 compliant in order not to be assessed as a Cyber Essentials noncompliance.  FIDO2 compliant authentication methods include YubiKeys, which is plugged into the device, and certain biometric authentication (e.g., face or fingerprint recognition), such as Windows Hello.  You can usually verify whether an authentication method is FIDO2 compliant by checking the vendor’s website, as vendors will typically want to ensure customers are aware that their authentication solution is compliant with FIDO2, however you can also ask the vendor directly.

CVSS 7 or Greater Fixes

Currently, Cyber Essentials requires organisations to apply all patches fixing a high or critical-risk vulnerability within 14 days of release, and to remove any end-of-life (EOL) software.  The Willow Question Set, however, has changed the terminology used for this requirement from ‘patches and updates’ to ‘vulnerability fixes’, and you are now required to fix any vulnerability, and regardless of whether doing so requires a configuration change, registry change, etc.  This applies to configuration/registry changes with a CVSS of 7 or above, or that are high or critical risk, or where the vendor has not published information on the vulnerability’s criticality.  Certain vendors don’t want to be seen as having any serious issues, so won’t publish all of their findings or information on the criticality of the vulnerabilities they identify, and therefore all patches they release need to be applied.

There are a number of common vulnerabilities which require configuration/registry changes that will be in scope of Cyber Essentials from April, and will therefore need to be fixed to achieve/maintain compliance:

  • SMBv1
  • LanMan/NTLMv1
  • WinVerifyTrust
  • Birthday attacks against Transport Layer Security (TLS).

Fixing these vulnerabilities (and others that are in scope of Cyber Essentials) may be achievable by rolling out fixes via a group policy rather than manually fixing them on each device, however the level of ease or difficulty associated with this will be dependent on how your organisation’s estate and infrastructure is configured.

The number of issues you need to rectify to remain compliant with Cyber Essentials will be highly dependent on your estate; many organisations will only need to amend 1 issue to achieve or retain their certificate, however URM has also worked with organisations that will need to rectify 20-30 vulnerabilities (on top of patching) before they attempt to certify or recertify against Willow.  For Cyber Essentials, you will need to confirm in the SAQ that these vulnerabilities have been remediated, and for Cyber Essentials Plus, this will be confirmed in the external audit.  As such, it’s important to establish your organisation’s status regarding vulnerabilities as soon as possible.

Software Going End of Life (EOL)

As was the case with the previous Montpellier Question Set, you are required to remove any EOL software from your machines in order to be Cyber Essentials compliant, and having EOL software installed will result in an automatic fail.  In the coming year, a number of popular products that we frequently come across in Cyber Essentials assessments are going EOL, including:

  • Windows 10 22H2 (build 19045) – All Editions (EoL date 14 Oct 2025)
  • Windows 11 22H2 (build 22621) - Enterprise, Education, IoT Enterprise, and Enterprise multi-session Editions (EoL date 14 Oct 2025)
  • Windows 11 23H2 (build 22631) - Home, Pro, Pro Education, and Pro for Workstations Editions (EoL date 11 Nov 2025)
  • Ubuntu 20.04 LTS (Focal Fossa) – End of Standard Support in April 2025 (paid Ubuntu Pro support will continue until April 2030)
  • Amazon Linux 2 – EoL date 30 Jun 2025
  • VMware ESXi 7.0 – End of General Support date 2 Oct 2025
  • Microsoft SQL Server 2012 SP4 – Extended Security Update end date 8 Jul 2025
  • Microsoft Exchange Server 2016 and 2019 – End of Support date 14 Oct 2025.

Closing Thoughts

Whilst the Willow Question Set does not represent a wholesale overhaul of Cyber Essentials, the updated requirements (particularly those relating to vulnerability fixes) may have a considerable impact on your organisation’s efforts to comply with the scheme.  And, as was required for certification against Montpellier, any software that has gone EOL at the time of your assessment will need to be removed.  As such, it’s important to fully consider how these changes will affect your organisation’s unique IT estate to ensure you are prepared for certification against Willow and to remain Cyber Essentials compliant as we move into 2025.

How URM can Help

If you feel that your organisation would benefit from tailored advice and support with Cyber Essentials certification, URM is ideally-positioned to provide this. As an accredited certification body, URM has been trained and licensed to certify organisations against the Cyber Essentials Scheme and has therefore facilitated hundreds of successful Cyber Essentials and Cyber Essentials Plus assessments, providing us with a wealth of knowledge and experience around the Scheme.  Meanwhile, as an Assured Service Provider under the NCSC’s Cyber Advisor scheme, our team of Cyber Advisors (Cyber Essentials) can offer you reliable advice with the aim of guiding your implementation of the Cyber Essentials security controls and achieve a seamless and successful certification.  

We can conduct a gap analysis prior to your assessment where we identify any areas of noncompliance in your existing policies and controls, and offer advice on how these can be remediated.  When you feel ready to undergo the assessment, we can also review your application before formal submission of your SAQ; here, URM’s assessor can either work through a Cyber Essentials checklist with you before you complete the SAQ, enabling you to successfully fill out the SAQ yourself, or check your already completed SAQ before it is submitted.  If you decide to go for Cyber Essentials Plus, we can conduct a technical pre-assessment on a smaller, but still significant, sample of systems, following which we will explain and provide recommendations for eliminating any noncompliances.

Amarjit Sandhu
Cyber Security Analyst at URM
Amarjit Sandhu is a Cyber Security Analyst at URM and an IASME certified Cyber Essentials and Cyber Essentials Plus Assessor.
Read more

Get practical guidance on preventing common cyber-attacks

Get practical guidance on how to prepare for and achieve Cyber Essentials and Cyber Essentials Plus certification, and protect your organisation against these attacks.
Thumbnail of the Blog Illustration
Cyber Security
Published on
14/11/2024
Cyber Essentials – What’s Changing in 2025?

URM’s blog discusses upcoming changes to Cyber Essentials, including the changes seen in the Willow Question Set and how they may impact your organisation.

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
15/3/2024
Common Cyber Essentials Challenges and how to Overcome Them

URM’s blog discusses common issues we see with Cyber Essentials and Cyber Essentials Plus certification projects, and how you can avoid making the same mistakes

Read more
Thumbnail of the Blog Illustration
Cyber Security
Published on
24/1/2023
Cyber Essentials Scheme being Updated on 24 April 2023

On 23 January 2023, NCSC published an updated set of requirements, v.3.1 for the Cyber Essentials scheme....

Read more
Session was good and informative.
Webinar 'How to Develop and Maintain Robust Business Continuity Plans'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.