Cyber Essentials changes
from 28th April 2025
The new Question set is called Willow.
​
The full question is available in PDF and Excel format from the Downloads section.
​
The changes will apply to all new online account requests from 28th April 2025​​.
​
Transitional arrangements​
-
All existing portal Montpellier accounts will need to be finalised by 28th October​
-
Cyber Essentials Plus assessments will be conducted based upon the question set used for the online assessment.​
-
Last date for a Montpellier based CE+ assessment is 28th January 2026
​
​Question set changes from Montpellier​
-
Scope wording
-
Clear and precise descriptions required – more emphasis on wording now. The description needs to include ‘network’ references.​
-
-
Extended security update contracts – confirmation required​
-
Firewalls
-
Change of question wording for clarity and requirement for a firewall management process – applies to situations where a software firewall is relied upon as the Internet boundary.​
-
Software firewalls to be enabled on all devices – office or remote​
-
-
Definition of Vulnerability Fixes introduced​
-
includes patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.​
-
-
Use of passwordless authentication permitted with a description
-
Other changes/clarifications​
-
Servers includes Virtual server hosts and Virtual servers​
-
Definition of Home Workers changes to Home or Remote Workers.​
-
All account access must be unique to the user for standard and admin usage, and not shared.​
-
Autorun replaced with any ‘feature allowing automatic file execution’.​
-
​
Changes to CE Plus assessments​
-
Scope verification​
-
Must match the scope stated on the CE submission or be reconciled if different​
-
Technical verification of the scope described​
-
Technical verification of any segregated sub-sets​
-
-
Sample testing​
-
No more than 72 hours (3 working days) notice on the test devices selected​
-
-
Vulnerability fixes​
-
Include patches, updates, registry fixes, configuration changes, scripts or any other mechanism prescribed by the vendor to fix a known vulnerability​
-
14 day rule still applies but counts from the report issue date​
-
-
Vulnerabilities with CVSS 3.1 base score of 7.0 and above​
-
Vendor fix issued within 14 days of the report date or no vendor provided vulnerability fix is available, will be classed as advisory. The report will note their existence.​
-
​
​Any questions please email us - info@cyberstrategies.co.uk