The new Cyber Essentials update is here, and everyone is combing through changes thinking about how it might affect their new or yearly effort to badge up to either Cyber Essentials or Cyber Essentials Plus. Yes, we have all the details here – and we’ll go through those below. We’re also sharing our take on what’s happening to the shape of the standard, and where the smart money is on what to do to prepare for reaccreditation next year. We’re going to start with our thoughts, then provide a neat little-ish list of every single change to the standard.
Nurturing the spirit of Cyber Essentials
Before diving into the specifics, it’s worth understanding what’s driving these changes. The Cyber Essentials scheme has always provided a baseline of protection against common cyber attacks. But as the scheme has grown in popularity, so too has the temptation for some organisations to treat it as a box-ticking exercise rather than a genuine security improvement. The cynic in me says that this is inevitable when you have a compliance function that endeavours to secure access to tenders that sit behind requirements for Cyber Essentials, as security often plays second-fiddle to the finance department when it comes down to it! So there’s been this ever present and ever creeping force that ‘industrialises’ compliance in a way that only increases when the standard gets more successful and is required to access certain markets like NHS or MOD contracts. In this way, the uptick in popularity brings with it the complex challenge of ensuring the standard can’t be gamed.
This is why we love Cyber Essentials Plus and IASME Cyber Assurance. The controls-based nature of the standard means you can’t simply out-scope complicated or frustrating aspects of the journey, and you must evidence things appropriately to your assessor. Thinking about the new Willow update, I’ll hazard a guess that the team were trying to further evolve this position of practical assessment while making it harder to reduce the CE process to a box ticker.
With the hot-topic Willow changes like reducing assessment windows, new technical verification requirements, and expanding definitions to match modern working practices, it’s clear the NCSC and IASME are working to meet this goal. We don’t want CE becoming security theatre – it’s about making sure that when an organisation displays the Cyber Essentials badge, their customers, partners, and supply chain can trust that it represents real security measures, not just good intentions.
Cyber Essentials: The requirements that exist before assessment day
The new update is making changes to ensure that readiness exists year-round and not just at assessment time. The focus here is two-fold; applicants only get three days between the sample selection and assessment, and the scope and sample of the assessment are to be validated by the assessor using technical means.
This change concretises two things that will need to be tended to year round and well clear of the assessment window. Vulnerability management needs to be baked into the asset management of an organisation such that the new three day sample selection to assessment window will return clean results, and second is that the new requirement to validate the scope and sample size sets a clear need to keep and maintain an accurate and up to date asset register.
ADAS’s Vulnerability Management service offering was spun up to address these requirements before the Willow changes were even made public. The reasoning was that we observed too many organisations only delving into their asset vulnerability management in order to get Cyber Essentials – and presumably letting their focus on it lapse as soon as they certified. When we asked why they were treating it as a non-priority, they said that it was either a question of cost, or that their MSP or third party IT function didn’t have an accessible plan to manage vulnerabilities for them in this way. We launched the ADAS Vulnerability Management platform to tackle this – We can provide routine daily Qualys vulnerability scans for devices for only 25p per device per month. One of the reasons we’re so excited for the Willow update is that we’re seeing IASME and NCSC pay attention to the landscape and make adjustments that shift it in the right direction, and this shift matches with our lived and worked experience of the landscape.
It’s now never been better to run a combined assessment
If you’re a newcomer to the process, it’s never been a better time to partner with a provider to ensure that your vulnerability management and asset register are accurate and up to date ahead of commitment to a full assessment. This change promotes further the idea that certification bodies aren’t just for assessment time, but are well positioned to provide longer term, slower-burn support that helps applicants gear up for Cyber Essentials and Cyber Essentials Plus. This approach sort of works in reverse, wherein you identify a provider of support, get your estate and assets ready for a Cyber Essentials Plus audit, and use this journey as a fact-finding exercise to ensure your Cyber Essentials Self Assessment is accurate. Now that scopes will need technical verification, working with one provider from start to finish makes more sense than ever, especially when they have additional offerings like vulnerability management or asset register templates to offer up.
It’s certification bodies with this end-to-end offering that will provide the smoothest journey now that the Willow update is in effect, so consider this when going out to market for your certification body and consultants!
Every single change to the Cyber Essentials and Cyber Essentials Plus process with Willow
Okay, time to put away the opinions and share the cold hard facts! Here are all the changes to the standard that you want to be aware of. I’d really suggest taking a proper look at the formal guidance from IASME and reading through it from start to finish – this is the best way to get confident on where you sit with the standard, and it’s still a little known fact that you can download the questions and fill them out at your leisure before even paying for Cyber Essentials with a certification body like ours.
Cyber Essentials Plus Test Specification
Cyber Essentials Free Download of Self Assessment Questions
Just a heads up – we’re keeping the list of full changes quite dry so you can copy and paste it as a resource.
Terminology and Definition Changes
- ‘Plugins’ changed to ‘extensions’ for improved accuracy
- ‘Home working’ changed to ‘home and remote working’ to acknowledge working from untrusted networks (cafés, hotels, trains, shared spaces)
- Software definition expanded to include “operating systems, commercial off-the-shelf applications, extensions, interpreters, scripts, libraries, network software and firewall and router firmware”
- ‘Patches and updates’ changed to ‘vulnerability fixes’ as an umbrella term – this definition for ‘vulnerability fixes’: “include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability”. Woah! This means that there’s no more ambiguity about whether registry changes as fixes are an issue.
Passwordless Authentication
- Passwordless authentication now formally recognised and compliant in Cyber Essentials
- Defined as: “an authentication method that uses a factor other than user knowledge to establish identity”
- Accepted methods include: biometrics, security keys/tokens, one-time codes, push notifications, passkeys
- Passwordless options now available for: firewall password configuration (A4.3), authentication of external services (A5.5), and protection from brute-force attacks (A7.10)
Question Set Changes (Montpellier to Willow)
- New question set ‘Willow’ has now replaced ‘Montpellier’.
- Question A2.7.1 now asks “How many staff are home or remote workers” (previously just home workers)
- Question A2.8 Network Equipment – clarification that firewalls and routers should be listed, with notes confirming home/remote workers use software firewalls as boundary
- Section 4 Firewalls – clearer wording about managing firewalls, enabled services, and regular review of firewall rules. This change in line of questioning is definitely a good thing for clarity, but does mean that copying and pasting answers from last years submission does no longer work – so please do pay attention to which question your answers marry up to.
- Section 6 Security Update Management – clarification that configuration changes or registry fixes must be applied within 14 days for critical/high vulnerabilities
- Question A7.4 – now mandatory to confirm staff only have privileges needed for their current job (principle of least privilege).
- Links added throughout to Cyber Essentials Knowledge Hub (https://ce-knowledge-hub.iasme.co.uk/)
Cyber Essentials Plus Changes
- Document renamed from “Cyber Essentials Plus Illustrative Test Specification” to “Cyber Essentials Plus Test Specification”
- Assessors must verify scope matches self-assessment certificate by ‘technical means’ (access to asset registers, exports from Intune, etc.)
- For sub-set scopes, assessors must verify effective segregation by ‘technical means’ (inspect firewall/switch ACLs, perform NMAP scans). Remember that if a big enough difference is identified, you’re going to be asked to resubmit (at cost) a new Cyber Essentials VSA that matches this scope.
- Sample size verification – assessors must verify device sample size calculated correctly using IASME method
- Evidence retention – all verification evidence must be retained by Certification Body for certificate lifetime
Additional Updates
- Stronger evidence expectations for scope definition – expect probing questions that ask for more thorough evidence from last year
- Broader exclusion statements for scope
- Explicit inclusion of remote workers in risk assessments
- Strengthened requirements for regular review and management of firewall rules
- New sections added to Willow covering organisation (A1), scope (A2), firewalls (A4), secure configuration (A5), security update management (A6), user access control (A7), and malware protection (A8)