Posted by on | Featured | No Comments

Cyber Essentials Willow Update 2025

What You Need to Know

The latest Cyber Essentials update, ‘Willow’, was released in May 2025, marking a significant evolution in the UK government’s flagship cyber security certification scheme. Replacing the ‘Montpellier’ question set, Willow reflects updated guidance from the National Cyber Security Centre (NCSC) and responds to emerging threats that businesses face today.

Whether you’re renewing your certification or applying for the first time, here’s a clear breakdown of what’s changed — and what your business needs to do next.

Key Changes in the 2025 Willow Update

The Willow update builds on the previous Montpellier release, revising definitions, terminology, and processes to keep Cyber Essentials aligned with current cyber security best practice.

Some of the headline changes include:

1. Expanded Scope: Firmware is Now In-Scope

The term ‘software’ now explicitly includes firmware, such as that found on firewalls and routers. This means organisations must ensure these critical systems are updated regularly — and are no longer exempt from compliance checks.

Why it matters: Unpatched firmware is increasingly targeted by attackers and often overlooked in patch management strategies.

2. Mandatory Asset Management Practices

Organisations must now maintain an accurate, up-to-date inventory of all devices and software within scope. This includes:

  • Company-issued and personal (BYOD) devices

  • Cloud services

  • Networking equipment

  • Installed applications

Why it matters: Asset visibility is a fundamental control for identifying vulnerabilities and reducing risk.

3. Tighter Controls for BYOD (Bring Your Own Device)

“Plugins” have been replaced with “frameworks and extensions,” a change that aligns terminology with modern software development and deployment.

4. Cloud Services: MFA Now Mandatory

The update introduces stricter rules for personal devices used for work, referencing the latest NCSC guidance. Organisations must:

  • Define clear BYOD policies

  • Enforce controls like device encryption and screen locks

  • Ensure staff understand their responsibilities

Why it matters: Personal devices are often a weak link, especially in remote or hybrid environments.

What Your Business Needs to Do

Whether you’re looking to achieve certification for the first time or renew under Willow, you’ll need to ensure that your policies, tools, and documentation reflect these new expectations.

Here’s how to stay compliant:

✅ Review the full Willow requirements on the NCSC website.

✅ Audit and update your asset management processes.

✅ Apply firmware patching to all in-scope devices.

✅ Enforce MFA across all cloud platforms, for all users.

✅ Review and formalise your BYOD policies and training.

Need Help Navigating the Willow Update?

As an IASME-approved certification body, CyberLab has already helped hundreds of organisations achieve Cyber Essentials and Cyber Essentials Plus — and we’re ready to guide you through the Willow update too.

Whether it’s a full audit or a quick compliance health check, we can support you every step of the way.

Contact us today to get started with Willow.

Speak with an Expert

Refresh: Cyber Essentials vs Cyber Essentials Plus

Not sure which level of Cyber Essentials is right for your organisation? Here’s a quick comparison of the two certification options to help you decide:

FeatureCyber EssentialsCyber Essentials Plus
Assessment MethodSelf-assessment questionnaire reviewed by a certifying bodyIndependent audit including external testing of systems and devices
Technical ScopeFive core controls: firewalls, secure configuration, user access control, malware protection, and patch managementSame five controls, but verified through hands-on technical testing
Level of AssuranceBasic assurance based on self-declared complianceHigher assurance through in-depth technical verification
Cost£300–£600 + VAT, depending on organization size£1,365+, depending on organisation size
Time & ResourcesTypically completed within a few days to weeks, depending on readinessMore involved process; includes on-site or remote audits and potential remediation period
Certification Validity12 months12 months
Ideal ForSmall businesses seeking a cost-effective way to demonstrate basic cyber hygieneOrganizations handling sensitive data or requiring higher security assurance
Badge Usage Use of Cyber Essentials badge to showcase complianceUse of Cyber Essentials Plus badge, indicating higher security standards
Michael helped with another Cyber Essentials Plus renewal and was very helpful with advice and responsive when answering questions.
John Feast
John FeastIT Security Engineer, IDT Ltd
Our second CE+ audit as a stand alone business entity. This year, we used CyberLab, and it has been a seamless process from start to finish. Our auditer, Hugo, is a very friendly guy certainly helps negate some of the tension you feel with an audit of this type. Smooth communication throughout, definitely making this a company I would recommend for any business going through their Cyber Essentials audits.
Jim Layland
Jim LaylandIT Support Engineer, Right Digital Solutions Ltd
This is our 4th year of CE+ accreditation, but our first using CyberLab. This year has been by far the most painless, largely due to Hugo & Rob understanding the needs of SME's. We shall be offering next years assessment to CyberLab.
Guy Kildonan
Guy KildonanIT Manager, Oxford Architects
This year we used CyberLab has helped us with Cyber Essentials and Plus and it has been a seamless process from start to finish. Our auditor, Oba, is a very friendly and knowledgeable guy certainly helps negate some of the tension you feel with an audit of this type. Would highly recommend CyberLab for any Cyber Essentials and Cyber Essentials plus help.
Mo Arabo
Mo AraboIT Manager, Engaging Communities Solutions (ECS)
Cyber Essentials: The team at CyberLab were very helpful and supportive throughout our journey! A big thank you to Oba Malaolu for being so helpful and supportive! I look forward to working with you next year!
Paul Wilcock
Paul WilcockBusiness Development Manager, TCS UK
We recently renewed our Cyber Essentials and Cyber Essentials Plus certifications with CyberLab, and the process couldn't have been smoother. The CyberLab team was incredibly helpful and supportive throughout the entire process. They clearly explained all the steps involved and promptly addressed any questions we had. We're confident in our renewed certifications thanks to CyberLab's expertise and efficient approach. Highly recommend their services!
Murani Oloto
Murani OlotoICT Co-ordinator, London Development Trust
Great company to work with. They helped us and our client pass the Cyber Essentials. Answered all of our questions and helped us through the process. Would defiantly recommend. Jon was very helpful through the whole process.
Dan Aslam
Dan AslamIT Manager, Midland Telecom
We completed the Cyber Essentials Plus audit with Hugo. He was very professional and nice to deal with, making the whole process simple and easy to understand. Audits are not always a pleasant experience, but this was definitely one of the better ones we've had!
Chris Fifield-Smith
Chris Fifield-Smith IT Infrastructure Manager, Datagraphic
Would highly recommend CyberLab for any Cyber Essentials and Cyber Essentials Plus help. This is the second time we as a business have worked with CyberLab and both times all of the team have been very professional and helpful. Customer service is great and would highly recommend them all.
Mark Pender
Mark PenderIT Security Manager, Pendersons
Get Started with Cyber Essentials

Leave a Reply

You must be logged in to post a comment.