top of page

Cyber Essentials changes
from 28th April 2025

The new Question set is called Willow.

​

The full question is available in PDF and Excel format from the Downloads section.

​

The changes will apply to all new online account requests from 28th April 2025​​.

​

Transitional arrangements​

  • All existing portal Montpellier accounts will need to be finalised by 28th October​

  • Cyber Essentials Plus assessments will be conducted based upon the question set used for the online assessment.​

  • Last date for a Montpellier based CE+ assessment is 28th January 2026

​

​Question set changes from Montpellier​

  • Scope wording

    • Clear and precise descriptions required – more emphasis on wording now. The description needs to include ‘network’ references.​

  • Extended security update contracts – confirmation required​

  • Firewalls

    • Change of question wording for clarity and requirement for a firewall management process – applies to situations where a software firewall is relied upon as the Internet boundary.​

    • Software firewalls to be enabled on all devices – office or remote​

  • Definition of Vulnerability Fixes introduced​

    • includes patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.​

  • Use of passwordless authentication permitted with a description

  • Other changes/clarifications​

    • Servers includes Virtual server hosts and Virtual servers​

    • Definition of Home Workers changes to Home or Remote Workers.​

    • All account access must be unique to the user for standard and admin usage, and not shared.​

    • Autorun replaced with any ‘feature allowing automatic file execution’.​

​

Changes to CE Plus assessments​

  • Scope verification​

    • Must match the scope stated on the CE submission or be reconciled if different​

    • Technical verification of the scope described​

    • Technical verification of any segregated sub-sets​

  • Sample testing​

    • No more than 72 hours (3 working days) notice on the test devices selected​

  • Vulnerability fixes​

    • Include patches, updates, registry fixes, configuration changes, scripts or any other mechanism prescribed by the vendor to fix a known vulnerability​

    • 14 day rule still applies but counts from the report issue date​

  • Vulnerabilities with CVSS 3.1 base score of 7.0 and above​

    • Vendor fix issued within 14 days of the report date or no vendor provided vulnerability fix is available, will be classed as advisory. The report will note their existence.​

​

​Any questions please email us - info@cyberstrategies.co.uk

bottom of page