The new Question set is called Willow.

​

The full question is available in PDF and Excel format from the Downloads section.

​

The changes will apply to all new online account requests from 28th April 2025​​.

​

Transitional arrangements​

• All existing portal Montpellier accounts will need to be finalised by 28th October​

• Cyber Essentials Plus assessments will be conducted based upon the question set used for the online assessment.​

• Last date for a Montpellier based CE+ assessment is 28th January 2026

​

​Question set changes from Montpellier​

• Scope wording

  • Clear and precise descriptions required – more emphasis on wording now. The description needs to include ‘network’ references.​

• Extended security update contracts – confirmation required​

• Firewalls

  • Change of question wording for clarity and requirement for a firewall management process – applies to situations where a software firewall is relied upon as the Internet boundary.​

  • Software firewalls to be enabled on all devices – office or remote​

• Definition of Vulnerability Fixes introduced​

  • includes patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.​

• Use of passwordless authentication permitted with a description

• Other changes/clarifications​

  • Servers includes Virtual server hosts and Virtual servers​

  • Definition of Home Workers changes to Home or Remote Workers.​

  • All account access must be unique to the user for standard and admin usage, and not shared.​

  • Autorun replaced with any ‘feature allowing automatic file execution’.​

​

Changes to CE Plus assessments​

• Scope verification​

  • Must match the scope stated on the CE submission or be reconciled if different​

  • Technical verification of the scope described​

  • Technical verification of any segregated sub-sets​

• Sample testing​

  • No more than 72 hours (3 working days) notice on the test devices selected​

• Vulnerability fixes​

  • Include patches, updates, registry fixes, configuration changes, scripts or any other mechanism prescribed by the vendor to fix a known vulnerability​

  • 14 day rule still applies but counts from the report issue date​

• Vulnerabilities with CVSS 3.1 base score of 7.0 and above​

  • Vendor fix issued within 14 days of the report date or no vendor provided vulnerability fix is available, will be classed as advisory. The report will note their existence.​

​

​Any questions please email us - info@cyberstrategies.co.uk