Cyber Essentials & ISO 27001 News & Regulation Updates

This page serves as your authoritative source for the latest changes, developments, and guidance related to the Cyber Essentials and Cyber Essentials Plus schemes.

Whether you’re preparing for certification, maintaining compliance, or staying informed, you’ll find timely and accurate updates to help your organisation navigate evolving cyber security requirements with confidence.

Stay informed about the requirements, updates, and best practices to help you keep your business secure.

• Read about Cyber Essentials and Cyber Essentials Plus.
• Find out about our cyber security training courses for your business.

Willow Question Set, Expanded Clarifications and Enhanced Security Protocols

IASME and NCSC have announced a new ‘Willow’ question set and related documentation (Requirements for IT Infrastructure v3.2), which took effect for all Cyber Essentials applications started on or after 28 April 2025.

This update introduces minor clarifications primarily focused on definitions, alongside enhancements to security protocols.

The update includes changes relating to:

• Terminology: ‘Plugins’ are now called ‘extensions’, to align with industry usage and reduce ambiguity.
• Remote work: The definition of ‘remote working’ now explicitly includes work from locations such as cafes, hotels, and public transport, and not just home offices.
• Passwordless authentication: The scheme now accepts modern passwordless authentication methods, such as biometrics, security keys, and one-time codes, alongside traditional multi-factor authentication.
• Vulnerability fixes: The terminology has broadened from ‘patches and updates’ to ‘vulnerability fixes’, encompassing a wider range of approved methods for addressing security issues, including non-patch technical measures like configuration changes or scripts.
• Improved clarity: Various questions and guidance materials have been refined to help applicants understand and meet the requirements more effectively.
• Security alignment: The Cyber Essentials scheme continues its annual review cycle to remain relevant to modern and evolving cyber threats.

Incremental Clarifications Strengthened Cyber Essentials

Cyber Essentials updates in 2024 focused on minor clarifications and improvements to guidance. New resources, including the Cyber Essentials Knowledge Hub, were introduced to provide more sector-specific advice and support to applicants and Certification Bodies.

Subtle refinements in documentation language made the application process clearer and more accessible, while all core technical controls and requirements remained unchanged.

Introduction of the Montpellier Question Set and Targeted Clarifications

The UK’s Cyber Essentials scheme launched the new ‘Montpellier’ question set and several important clarifications to streamline security compliance for UK organisations. The update replaced the previous ‘Evendine’ question set and was effective on April 24th 2023.

Key changes include:

• Simplified device documentation: For assessment purposes, applicants only needed to declare the make and operating system of user devices in scope, and listing the model was no longer necessary (excluding network devices).
• Firmware scope refined: The definition of ‘firmware’ was clarified. Only the firmware of firewalls and routers were in scope for update requirements, rather than all device firmware.
• Third-party device handling: New guidance and a table clarified how to treat third-party devices (for example, those owned by contractors) within the assessment and scope.
• Device locking flexibility: If a device’s default settings for lockout after failed login were unchangeable, applicants could accept the manufacturer’s default for more practical device management.
• Anti-malware flexibility: Anti-malware protections no longer needed to be signature-based and guidance covered protections for each device category. Sandboxing was no longer an option.
• Zero Trust guidance added: The update introduced guidance on Zero Trust Architecture and asset management, supporting the move towards stronger security frameworks.
• Language and structure update: The requirements document had a style and language refresh, and technical controls were reordered to match the self-assessment structure.
• Cyber Essentials Plus: The Illustrative Test Specification was updated to align with the changes, with a focus on refreshed malware protection tests for simplicity.

Cyber Essentials Certification – a Guide to the 2022 Update

Cyber Essentials and Cyber Essentials Plus changed in 2022. New infrastructure requirements and amendments to technical controls announced by the National Cyber Security Centre (NCSC) came into force on January 24, 2022. If your organisation required Cyber Essentials certification, you needed to know what the 2022 update meant and how it affected certification.

It was essential information for any organisation looking to become certified or work as a supplier to organisations such as the Ministry of Defence (MoD) and the National Health Service (NHS).

What was the Cyber Essentials 2022 Update?

The new Cyber Essentials question set – known as Evendine – launched on January 24, 2022. It was the most significant change to the standard since it was introduced. While new question sets had been released previously, there had been very few changes to the scheme requirements themselves. With the Evendine release, there were significant changes to the scope requirements and the controls that needed to be applied to the devices within that scope.

The changes were designed to modernise the scheme and take into account key technology trends and infrastructure changes that had become commonplace. Trends such as a move to greater home working and Bring Your Own Device (BYOD) were now part of the scheme.

The 2022 update included changes to Cyber Essentials relating to:

• Cloud-based services such as Software as a Service (SaaS)
• Passwords and two-factor authentication
• Device declaration and BYOD
• Thin clients
• Homeworkers
• Routers and Firewalls

The Cyber Essentials standard was constantly evolving, and usually, there were annual updates to the question set. The reason behind these updates was that the threat landscape was continually evolving, too, and attacks that had been successfully thwarted in previous years might well have moved on in sophistication and delivery, ensuring success for criminals.

Cloud service changes

The Evendine update introduced significant changes to what must be included in scope, with the most noticeable being the inclusion of all cloud services. From the introduction of Evendine, all cloud services were required to be within the scope of Cyber Essentials.

• Infrastructure as a Service (IaaS) – was already in scope with Cyber Essentials and covered on-demand IT services such as storage and computing.
• Software as a Service (SaaS) – previously regarded as out of scope, included on-demand software services such as cloud-hosted business applications.
• Platform as a Service (PaaS) – had been a grey area that generally required careful consideration as to whether the service should be in scope or not, and covered development and deployment platforms in the cloud, such as database management.

It was now impossible to certify only the cloud elements of the business or servers. The NCSC and IASME clarified that end-user devices must also be in scope.

The 2022 update meant that:

• It was no longer acceptable to descope all end-user devices.
• It was not possible to descope cloud services used by the organisation.
• All devices, software, and firmware in scope (including BYOD) had to be supported, with all controls applied.

Password requirement changes

There were also changes to passwords and 2-factor authentication (2FA) requirements.

From January 2024, all administrative users of cloud services had to have multi-factor authentication (MFA) applied, and all standard user accounts needed MFA when certifying in 2023.

In the meantime, user accounts needed either:

• 12-character passwords, or
• 8-character passwords when there was a technical control to deny bad passwords.

The NCSC requirements document described the new password controls as:

Workers had to be educated on how to avoid common or discoverable passwords, such as a pet’s name, common keyboard patterns, or passwords they had used elsewhere. This could have included teaching people to use the password generator feature built into some password managers.

Encouraging people to choose longer passwords. This could have been done by promoting the use of multiple words (a minimum of three) to create a password (e.g., ‘Three Random Words’).

Providing usable secure storage for passwords (for example, a password manager or secure locked cabinet) with clear information about how and when it could be used.

Not enforcing regular password expiry and not enforcing password complexity requirements.

There had to be an established process to change passwords promptly if the applicant knew or suspected the password or account had been compromised.

Requirements to declare devices and BYOD

Servers and end-user device quantities had to be declared, and a change was that the make and model of the device, as well as the operating system, had to be declared. A common fault causing assessments to be sent back was that both edition and version numbers were required.

It was recommended to maintain an up-to-date asset register, which had to include BYOD devices, to provide the required information.

As tracking BYOD devices could be complex, it was suggested to have a process for “on-boarding” a BYOD device so that the owner/make/model/OS could be documented whenever a staff member wished to use their own device to connect to company data.

Staff also needed to be prepared for the possibility that, if they chose to use a BYOD device, the device might need to be tested during Cyber Essentials Plus auditing, which should have been covered through employment contracts or internal policy. The recommendation was to cover this off with HR to ensure adequate coverage for BYOD.

All BYOD devices that accessed business data – including emails and cloud services – had to be regarded as being in scope and had to be fully declared. They also needed to have all the controls applied to them in the same way a corporate device would have.

If mobile devices were only being used to access a virtual desktop infrastructure (VDI) solution, this brought the device into scope in the same way as if it could access corporate emails.

If BYOD devices were only used for voice calls, SMS text messages, or as a platform to receive 2-factor authentication codes, then this did not bring them into scope.

It was necessary to assess whether BYOD devices were essential to the business.

Unless BYOD was treated in the same way as corporate mobiles, where all updates had to be applied, a minimum 6-character pin applied (with rate limiting and lockout in place), and the device was not jailbroken or rooted, then it was possible to fail Cyber Essentials and/or Cyber Essentials Plus.

Cyber Essentials 2022 – thin clients

From 2023, all thin clients needed to be in support and receive security updates. The Evendine question set included questions around thin client use.

Clarification around remote (home) workers

There was clarification around organisations that employed home workers. If the home network used an ISP-provided router, this was seen as being out of scope. Should the organisation have provided a router for the home worker, then this was in scope.

Homeworker computers had to have the software firewall active on the device. If this was in place, then home networks were out of scope. In the interests of best practice, it was suggested to set the public firewall profile to deny all incoming traffic.

Routers and firewalls requirements

These had to have a minimum of an 8-character password and either 2FA in place or limit the login to internal addresses or a select few external whitelisted IP addresses.

This was also tested as part of Cyber Essentials Plus.

There were also some significant changes to the Cyber Essentials Plus testing and auditing process.

What did the changes to Cyber Essentials Plus 2022 mean for an assessor?

Cyber Essentials Plus Assessors saw many organisations fail the standard due to insufficient patching of operating systems and applications. Applying security updates within the mandated 14-day period presented a challenge to some organisations, and the changes only resulted in the bar being raised.

The reason behind this was that previously, they were allowed to discount some vulnerabilities that required methods of attack, such as local access to the machine or tricking a user into action. Additionally, the functionality of the attack had to be proven with a reasonable level of certainty.

In the new Cyber Essentials Plus, all critical and high vulnerabilities had to be remediated regardless of the attack vectors. This was a significant change, and many organisations that Assessors had previously been able to pass would now fail under the new assessment.

A new test of all cloud services was introduced with initial checks that all administrator accounts had 2FA enabled. From 2023, all accounts, even standard user accounts, needed to have 2FA present.

There were further tests to ensure that administrators did not work on a day-to-day basis with admin privileges, which was often a contentious requirement for developers.

Even for developers, having admin privileges in the course of everyday work was prohibited.

For macOS/Linux devices specifically, there had to be account separation between the user account (used for day-to-day work such as email/web browsing) and the administrative account of the machine. It was not compliant for a user to be a part of the “sudo” user group – there had to be complete separation.

Help to protect your business from cyber attacks – find out more about Cyber Essentials and Cyber Essentials Plus certification.

Request a quote today or contact our team to discuss your needs.