To better reflect the modern working environment and help organisations safeguard against evolving common cyber risks, the National Cyber Security Centre (NCSC) has updated the question set for their Cyber Essentials certification scheme, phasing out the Montpellier set in favour of their newly revised Willow set.
The revision introduces broader definitions and extended requirements that organisations must comply with in order to be accredited by the highly respected authority.
As the Cyber Essentials scheme represents the UK Government’s minimum baseline standard for cyber security, certification is not only achievable for organisations of all sizes, but it also demonstrates to clients and insurers a critical level of cyber integrity and resilience.
Key updates include:
Inclusion of Remote Workers
Remote workers are now included in consideration of the fact that working patterns are not restricted to the office or home. Remote working has introduced a new range of security considerations for organisations, particularly in respect of employees connecting to untrusted networks and working in environments not suitable for the task being undertaken, such as with the handling of sensitive data.
Firewalls
Multiple questions surrounding firewalls have been rephrased to provide greater clarity on the expectations of organisations in:
- Deploying firewalls across devices and networks.
- Ensuring secure password management of firewall configuration interfaces.
- Controlling and documenting firewall rule administration.
Secure Configuration
Passwordless authentication is now an accepted method of authentication for firewall password configuration and authentication of external services. Examples of passwordless authentication include biometric authentication, such as fingerprint and facial recognition, and one-time passcodes (OTPs) via SMS and authenticator applications.
However, brute-force protection is still a requirement where passwordless systems use backup passwords as a means of reauthenticating users.
Security Update Management
The Willow question set expands to clarify that vulnerability fixes, such as registry fixes and configuration changes, as well as security updates must be applied where the operating system or application vendor advises.
Security updates and vulnerability fixes must also strictly be applied within 14 days where:
- The update fixes vulnerabilities deemed by the vendor to be ‘critical’ or ‘high-risk’.
- The identified vulnerabilities have a Common Vulnerability Scoring System (CVVSv3) score of 7.0 and above.
- The vendor releases no information regarding the severity of the vulnerabilities.
Organisation’s must also subscribe to their respective operating system’s Extended Security Update (ESU) scheme where available.
For organisation’s using Windows 10, subscription to the Windows ESU scheme must be obtained by the 14th October 2025 to remain compliant.
User-Access Controls
It is now a Cyber Essentials requirement for the principle of least-privilege to be applied as a standard framework for privileged account access.
Robust account separation must also be exercised between administrative and standard user accounts so as not to unnecessarily expose standard accounts to privilege misuse.
Anti-Malware Protection Mechanisms
Anti-malware protection mechanisms must be active across all devices within the organisation’s network by at least one of the following means:
- Anti-malware software for devices running Windows or MacOS.
- Application allow-listing (also referred to as application whitelisting), where approved applications are restricted by code signing.
How Griffiths & Armour can help
Whist the Cyber Essentials certification remains an important benchmark for an organisation’s cybersecurity framework, navigating the broader cyber risk landscape requires proactive strategic insight as cyber threats continue to evolve. At Griffiths & Armour we conduct detailed Cyber insurance assessments for our clients, in addition to exposure modelling and insurance risk reconnaissance services. Our team can guide you through the process, ensuring that your organisation is protected against the ever-growing threat of cyber-attacks.
To learn more about how we can support your Cyber insurance needs, please get in touch.
