Cyber Essentials: Transitioning from the Montpelier to Willow Question Set

Posted on March 11, 2025 by Peter Tooke

As of April 28, 2025, the Cyber Essentials certification process will undergo an update with the introduction of the Willow question set, replacing the previous Montpelier version. This new revision, conducted by the National Cyber Security Centre (NCSC) in collaboration with IASME and certification bodies, aims to ensure the scheme remains effective against evolving cyber threats.

In this blog, we’ll outline the key changes, their implications for your business, and how ramsac can assist you in navigating this transition seamlessly.

What are the key changes in the new Willow question set?

The Willow question set introduces several important updates to the Cyber Essentials requirements:

• Home and Remote Working: The terminology has been updated from “home working” to “home and remote working” to encompass modern work environments, including untrusted networks like cafes and hotels.
• Network Equipment Specification: Applicants are now required to list only relevant network equipment, specifically firewalls and routers, including their make and model. This change aims to prevent the unnecessary inclusion of devices such as hubs and switches.
• Passwordless Authentication: The scheme now accepts passwordless authentication methods, provided they adhere to recognised standards. Acceptable methods include:
  • Biometric authentication
  • Security keys or tokens
  • One-time codes
  • Push notifications
• Software Licensing and Updates: There is a new emphasis on ensuring all in-scope software and cloud services are properly licensed. Additionally, organisations must apply configuration changes or registry fixes, as advised by vendors, to mitigate high-risk vulnerabilities, not just standard software updates.
• Access Control and Least Privilege: The updated requirements stress the implementation of the principle of least privilege, ensuring that staff have only the necessary access rights to perform their current job functions.

What does this mean for you?

Organisations seeking to renew their Cyber Essentials certification after 28^th April 2025, will be evaluated against the Willow question set.

There will be a grace period of 6 months so if Basic is purchased before the 28th April, clients will have until the 28^th October 2025 to pass on Montpellier.

If you decide to go for plus after the 28^th October this will also be honoured on the Montpellier question set and you will have until January 2026 to achieve plus, which is 3 months since you achieved Basic.   

How we can help

The shift to the Willow question set reflects the dynamic nature of cybersecurity and the necessity for organisations to adapt accordingly and navigating these updates can be challenging, but we can support you through the transition.

We can complete a GAP analysis to evaluate your current cybersecurity posture against the Willow question set, including the technical controls in your environment as well as your written policies, to pinpoint areas requiring enhancement.

Then, with the output, we will work with you to put the steps in place necessary to achieve compliance with the new standards.

If you have questions or need support with the upcoming changes, please contact your Relationship Manager, and we can help you achieve or maintain your Cyber Essentials certification.

Cyber Essentials and Cyber Essentials Plus consultancy

With ramsac’s expert consultancy, we’ll guide you through both levels of certification, ensuring you’ve effectively implemented the necessary controls to protect your business and giving you the confidence to defend against cyber-attacks.

Get in touch