The Cyber Essentials Scheme’s 2025 Update and What it Means for Your Organisation

The Cyber Essentials scheme is updated each year to ensure its best-practice approach to basic cyber security remains relevant. So, what’s new for 2025?

Cyber Essentials and Cyber Essentials Plus: what’s new in the 2025 update?

As of 28 April 2025, new Cyber Essentials certifications will be assessed according to v3.2 of the NCSC Requirements for IT Infrastructure and must use the new ‘Willow’ Question Set, which replaces the Montpellier version.

The changes introduced by the 2025 update are minor, but organisations will still need to be aware of what’s expected of them. Here’s a high-level summary.

Cyber Essentials Requirements for IT Infrastructure version 3.2

The changes introduced by v3.2 of the Requirements for IT Infrastructure include:

  • Plugins
    The term ‘plugins’ has been changed to ‘extensions’.
  • Home working
    The term ‘home working’ has been changed to ‘home and remote working’.
  • Software
    The definition of ‘software’ has been updated to include “operating systems, commercial off-the-shelf applications, extensions, interpreters, scripts, libraries, network software and firewall and router firmware”.
  • Vulnerability fixes
    A definition for ‘vulnerability fixes’ has been added. They “include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability”.
  • Authentication
    Passwordless authentication methods (including biometric data, security keys or tokens, one-time codes and push notifications) are now permitted.

Cyber Essentials Plus Test Specification version 3.2

Changes introduced include:

  • Name
    Formerly called “Cyber Essentials Plus Illustrative Test Specification”, the document has been renamed “Cyber Essentials Plus Test Specification”.
  • Verification of scope
    The ‘Before you begin’ section now states that, before testing, assessors must have verified that the scope of the testing is aligned with the scope in the self-assessment certificate.
  • Verification of segregation by subset
    Assessors must also have “verified by technical means that when the Cyber Essentials self-assessment scope is not ‘Whole Organisation’, any sub-sets have been segregated effectively”.
  • Verification of sampling
    Assessors must also verify that the sample of tested devices, including end-user devices, servers and Cloud services, is representative.

Willow Question Set

The new Question Set adds some new questions, as well as providing further guidance to existing questions, covering:

  • A1 (the organisation)
  • A2 (scope of assessment)
  • A4 (firewalls)
  • A5 (secure configuration)
  • A6 (security update management)
  • A7 (user access control)
  • A8 (malware protection)

For further information, please refer to the official IASME documents. And if you need any help completing your self-assessment questionnaire, please get in touch with one of our Cyber Essentials experts.


Upcoming webinar: Cyber Essentials – Preparing for changes to the Scheme

Date: Tuesday, 25 March 2025

Time: 3:00–4:00 pm (GMT)

Delivered by: Ashley Brett, cyber security advisor and product evangelist, and Adam Seamons, head of information security

Hosted by: Sophie Sayer, sales director

Sign up for our free webinar for expert guidance on adapting to the changes introduced by the 2025 Cyber Essentials update. Whether you’re already Cyber Essentials certified or looking to begin your journey, this session will give you the knowledge and strategies you need to navigate the changes to the scheme with confidence.

The webinar will cover:

  • A detailed breakdown of the April 2025 updates, including the proof-of-scan requirement and revised questionnaire structure
  • How the changes affect certification workflows and compliance processes
  • Practical steps to align your organisation with the new requirements
  • Strategies to streamline compliance and reduce certification challenges
  • How IT Governance’s Cyber Essentials solutions can help you achieve certification


About us

  • IT Governance is one of the founding Cyber Essentials certification bodies and one of the largest in the UK, issuing more than 9,000 certificates.
  • Our Cyber Essentials services have received a ‘World-Class’ NPS (Net Promoter Score) of +100.
  • With a large team focused on Cyber Essentials, we offer same-day turnaround on your certificates.
  • We have a 98% customer success rate.
  • We offer everything you need to get Cyber Essentials certification, such as documentation, scanning and assessments.
  • One-to-one support included as standard in all our packages.
  • End-to-end support – we deliver all the technical tests and assessments ourselves, conducted by our experienced technical testers.
  • Tailored solutions – our unique fixed-price bundles provide expert support and compliance tools at affordable rates.
  • Credentials – our consultants are qualified cyber security practitioners.
  • Unrivalled expertise – we have the knowledge and insight to help you take the next steps beyond Cyber Essentials.

The post The Cyber Essentials Scheme’s 2025 Update and What it Means for Your Organisation appeared first on IT Governance Blog.