Cyber Essentials Changes for 2025

Cyber Essentials 'Willow' is coming

You may be asking, “why are they changing the questions?” Well, the threat landscape is always changing, so the way we react to those threats needs to change too. This is the only way to make sure that your business stays secure, in addition to it bringing the scheme up-to-date with current security practices. Cyber Essentials will still continue to focus on the five key technical controls which are the best first line of defence against a potential threat.

So, what changes will we be looking at in April 2025? I’ll be taking a look at 3 specific changes introduced in Willow and explaining the rationale behind them.

Change 1: Definitions

Perhaps surprisingly, a lot of the changes are around definitions. Making sure questions are clear and being applied to the right areas of your organisation can add up to a significant difference to your security posture. We should see a number of better descriptions and resources provided to applicants with links to IASMEs CE Knowledge Hub with information on all different areas of the assessment.

For example, question A2.7.1 was, “How many staff are home workers?”, this is changing to “How many staff are home or remote workers?”

You may think that you would include remote workers in the original question of home workers, but unfortunately we’ve found many organisations that wouldn’t, and need guidance to make sure the right workers are being considered in the answer. With this simple change in wording, it will leave less space for ambiguity.

Change 2: Passwordless logins

In addition to definition changes, we also see the inclusion of passwordless logins. Previously, questions around logins focused on passwords and MFA (multi-factor authentication), but as technology continues to evolve, we see more and more widespread adoption of passwordless authentication where more than one factor of authentication can be used without a password. This could be biometrics combined with a one-time code, or the use of a security key or token with a push notification from a smartphone to approve the login.

Even with passwordless authentication, there can still be a password backup option, so just because you use passwordless, you must still ensure that, if there is a password option, all technical controls on password quality and brute force protection are applied.

It is great to see passwordless included in this latest update as it will open up more secure methods of authentication to choose from, and shows that Cyber Essentials is putting in the work to keep its place as a relevant, sought-after certification.

Change 3: How we think about vulnerabilities

Lastly, we see a change in relation to vulnerability management. Previously, Cyber Essentials focused on ensuring that all ‘high’ and ‘critical’ vulnerabilities were patched. However, vendors and manufactures also offer other ways to remediate vulnerabilities such as providing registry fixes, configuration changes or running scripts.

Cyber Essentials will move from just “patches and updates” to “vulnerability fixes” as a whole. This is a key part of a wider shift in how we think about vulnerabilities: they’re a problem to be solved, not a hole to be patched.

Practically this means that any method of fix approved by the vendor to remediate a known vulnerability must be applied to achieve certification.

This is very important as by only covering fixes applied by patches and updates can lead to companies ignoring those other vulnerabilities which could leave them at risk. The change will help push organisations to keep up to date with latest vulnerabilities and making sure that fixes are applied beyond a simple patch.