As of 28 April 2025, the UK's Cyber Essentials Plus scheme has been updated to version 3.2, introducing the "Willow" question set. This update brings several changes aimed at enhancing the rigour and clarity of the certification process.
As of 28 April 2025, the UK's Cyber Essentials Plus scheme has been updated to version 3.2, introducing the "Willow" question set. This update brings several changes aimed at enhancing the rigour and clarity of the certification process.
What's New in Cyber Essentials Plus v3.2 (Willow)
1. Document Renaming
The term "Illustrative" has been removed from the document title, now referred to simply as the "Cyber Essentials Plus Test Specification." This change underscores the definitive nature of the requirements outlined.
2. Scope Verification
Assessors are now required to verify that the scope of the Cyber Essentials Plus assessment aligns with the scope defined in the corresponding Cyber Essentials self-assessment certificate. This ensures consistency and clarity in what is being evaluated.
3. Segregation Verification for Subsets
For organisations where the assessment scope does not cover the entire organisation, assessors must confirm that any subsets are effectively segregated using technical means. This step is crucial to ensure that out-of-scope areas do not compromise the security of the in-scope systems.
4. Sampling Verification
The updated specification provides detailed guidance on selecting representative samples of devices for testing. Assessors must ensure that the sample size is calculated correctly and that the selected devices accurately reflect the organisation's infrastructure.
5. Expanded Definition of Vulnerability Fixes
The term "vulnerability fixes" now encompasses not only patches and updates but also configuration changes, registry edits, and vendor-supplied scripts. Organisations are required to apply all vendor-advised fixes rated High or Critical, regardless of the method of implementation.
Overview of Cyber Essentials Plus Assessment Requirements
The Cyber Essentials Plus assessment involves a series of tests to verify an organisation's compliance with the scheme's technical controls. Key aspects include:
- Remote Vulnerability Assessment: Scanning of internet-facing systems to identify vulnerabilities that could be exploited by external attackers.
- Authenticated Vulnerability Scans: Internal scans of end-user devices and servers to detect missing security updates and configurations that could pose risks.
- Malware Protection Checks: Verification that appropriate malware protection measures are in place and functioning effectively across all relevant systems.
- User Access Control Evaluation: Assessment of user account management practices, including the implementation of multi-factor authentication and the principle of least privilege.
- Secure Configuration Review: Examination of system configurations to ensure they adhere to security best practices and do not expose the organisation to unnecessary risks.
- Each test case must be passed to achieve certification, with any failure resulting in an overall fail.
Preparing for Certification
Organisations aiming for Cyber Essentials Plus certification should
- Review and understand the updated requirements in version 3.2.
- Ensure that all systems within the assessment scope are properly configured and up to date with all relevant vulnerability fixes.
- Verify that any subsets of the organisation included in the assessment are effectively segregated from out-of-scope areas.
- Work with assessors to select representative samples of devices for testing.
- By adhering to these updated requirements, organisations can enhance their cybersecurity posture and demonstrate their commitment to protecting sensitive data and systems.
Download the Cyber Essentials Plus Test Specification
For detailed guidance and support on achieving Cyber Essentials Plus certification under the new v3.2 requirements, please contact our team.