As of 28 April 2025, the UK’s Cyber Essentials scheme has been updated to version 3.2, introducing the “Willow” question set. This update reflects the evolving cybersecurity landscape, addressing modern threats and working practices. Organisations seeking certification must now comply with these revised requirements.
What's New in Cyber Essentials v3.2 (Willow)
1. Passwordless Authentication Recognition
The updated requirements acknowledge passwordless authentication methods, such as biometrics, security tokens, and push notifications, as valid forms of multi-factor authentication. This change aligns with the industry's move towards more secure and user-friendly authentication mechanisms.
2. Expanded Definition of Vulnerability Fixes
The term "vulnerability fixes" now encompasses not only patches and updates but also configuration changes, registry edits, and vendor-supplied scripts. Organisations are required to apply all vendor-advised fixes rated High or Critical, regardless of the method of implementation.
3. Terminology Update: 'Home and Remote Working'
The term "home working" has been updated to "home and remote working" to reflect the variety of locations from which employees may access company systems. This change emphasises the need for robust security measures for all remote access scenarios.
4. Clarified Software Definition
The definition of software now includes operating systems, commercial off-the-shelf applications, extensions, interpreters, scripts, libraries, network software, and firmware. This clarification ensures a comprehensive approach to software security.
Overview of Cyber Essentials Requirements
Cyber Essentials focuses on five key technical control themes:
- Firewalls: Ensuring only safe and necessary network services are accessible from the internet.
- Secure Configuration: Implementing security settings for hardware and software to reduce vulnerabilities.
- Security Update Management: Applying updates and fixes promptly to protect against known vulnerabilities.
- User Access Control: Restricting access to data and services based on user roles and responsibilities.
- Malware Protection: Deploying appropriate measures to detect and prevent malware infections.
These controls are designed to protect organisations from common cyber threats and demonstrate a commitment to cybersecurity best practices.
Preparing for Certification
Organisations aiming for Cyber Essentials certification should
- Review and understand the updated requirements in version 3.2.
- Assess current cybersecurity measures against the five technical control themes.
- Implement necessary changes to comply with the new standards, including adopting passwordless authentication methods where appropriate and ensuring all vulnerability fixes are applied promptly.
- Ensure that remote working arrangements are secure and align with the updated "home and remote working" terminology.
By adhering to these updated requirements, organisations can enhance their cybersecurity posture and demonstrate their commitment to protecting sensitive data and systems.
The new Cyber Essentials: Requirements for IT Infrastructure v3.2 document can be downloaded below:
Download Cyber Essentials: Requirements for IT Infrastructure v3.2
For detailed guidance and support on achieving Cyber Essentials certification under the new v3.2 requirements, please contact our team at info@cybercompliance.org.uk.