Logo Transparent

Willow Countdown

Days
Hours
Minutes
Seconds

What's new in Willow?

The NCSC & IASME have released the new Cyber Essentials question set (Willow) and accompanying Cyber Essentials Requirements for IT infrastructure document (version 3.2).

The new Willow standard will take effect for all Cyber Essentials and Cyber Essentials Plus assessments started after the 28th of April 2025.

What's new in Cyber Essentials Willow

Extended Security Updates

  • The application of Extended Security Updates must now be verified in the Cyber Essentials Plus audit.
  • All operating systems must receive security updates from the vendor.
  • Unsupported operating systems are not compliant without Extended Security Updates.
  • To remain complaint, All Windows 10 devices will need to be updated to Windows 11 or be subscribed Microsoft’s Windows 10 ESU program by the 14th October 2025.

Passwordless Systems

  • Password-less Systems are now included alongside traditional passwords.
  • This can include using methods such as:
    • Biometrics
    • Security Keys or Tokens
    • One-Time Codes
    • Push Notifications
    • An authenticator application on a trusted device.
    • Use of a ‘trusted’ or ‘known’ device (such as a USB or physical key).

Firewalls

  • Firewalls must block unauthenticated inbound connections.
  • Firewall rules must be reviewed at least annually
  • Processes to approve inbound connections and remove firewall rules must now be described.
  • Any allowed inbound connections must be approved and documented.
  • External access to the admin interface must be supported by:
    • A clear business need.
    • MFA or an IP Whitelist with authentication.

Vulnerability Fixes

  • All vulnerabilities must still be remediated within 14 days from release by the vendor.
  • As well as applying all security updates, you must now apply all ‘vulnerability fixes’, which includes:
    • Patches
    • Updates
    • Registry Fixes
    • Configuration Changes
    • Scripts
    • Any other mechanism approved by the vendor to fix a known vulnerability.

What's new in Willow Cyber Essentials Plus

Selection of Sample Devices

  • All devices must now be chosen by the assessor no more than 72 hours prior to the tests being carried out.
  • Applicants are no longer able to choose their own samples.
  • If a selected user is unavailable, a new device is to be chosen by the assessor.

Extended Security Updates

  • The purchase and application of Extended Security Updates must now be confirmed and verified in the audit.

Segregations

  • All segregations must be technically enforced and verified in the assessment.

We're here to help

telephone-call

Schedule a free 30 minute consultation with a KEYSIGMA Cyber Advisor

Book a Call