Cybersecurity threats are growing all the time – so it’s essential that businesses and other organisations stay alert to emerging dangers. Failing to keep cybersecurity protections up to date can have devastating financial and reputational consequences.
As a UK Government-backed framework, Cyber Essentials is trusted by businesses as a clear set of guidelines to help organisations safeguard themselves against common cyber threats. But Cyber Essentials also has to stay up to date – which is why the new Willow question set comes into effect from April 28th, 2025.
The key takeaway? While Willow makes some important adjustments, it is not a radical shift. It strengthens the Cyber Essentials framework and updates it to take account of the changing way we work and evolving security risks. Here’s what Willow means for your organisation.
What is the Willow update to Cyber Essentials?
Willow is the latest version of Cyber Essentials’ technical requirements. It enhances security measures and aligns them with evolving cybersecurity threats, introducing clearer expectations and improved guidance based on lessons from real-world incidents, along with feedback from cybersecurity experts and certification bodies.
So, what exactly has changed? Here are the most significant updates introduced as part of Willow:
1. Greater emphasis on cloud security: The way businesses operate has changed a lot in a relatively short space of time. Cloud services like Microsoft 365 and Google Workspace have become integral to the way many organisations work. Willow introduces stricter requirements for securing cloud environments, including stricter requirements for data access policies, account controls and multi-factor authentication (MFA).
2. Improved BYOD (Bring Your Own Device) security: With remote and hybrid working becoming the norm for many organisations, employees are increasingly using personal devices to access business systems. To counteract any security risks arising from this, Willow provides stronger guidance on how organisations should manage and secure these devices to prevent unauthorised access and data breaches.
3. Stronger authentication and access management: Willow places greater emphasis on identity security by tightening authentication policies. More services and user accounts must now have MFA enabled, especially those handling personal or otherwise sensitive data. Also, password policies are strengthened to reduce the risk of credential-based attacks.
4. Stricter patch management requirements: Security patches must now be applied more quickly under the new requirements set down by Willow. Organisations must ensure that critical updates are implemented sooner to minimise exposure to vulnerabilities that could be exploited by online criminals.
5. Clearer scope definitions: The updated framework provides better guidance on defining what is considered ‘in scope’ for certification. This includes more precise rules for remote users, third-party services and supply-chain security, ensuring organisations don’t overlook critical risks.
Why Willow is important
The changes introduced as part of the Willow update aren’t about making Cyber Essentials certification more difficult but about making the standard more robust and effective. Cyber threats such as phishing, ransomware and credential theft are becoming more sophisticated, and organisations of all sizes – including small businesses and even schools – are increasingly being targeted.
By refining the Cyber Essentials standard and considering new cybersecurity threats, Willow helps ensure that organisations looking to obtain or retain certification take a more proactive and relevant approach to online security. The goal, however, remains fundamentally the same: to provide a clear, achievable baseline that safeguards systems and data against common cybersecurity threats.
What Willow means for you
For organisations that are already Cyber Essentials certified, the Willow update means reviewing and adjusting security policies in line with the new requirements. Rather than requiring a disruptive overhaul, this is an opportunity to strengthen cyber resilience.
For those new to Cyber Essentials, Willow provides an up-to-date, practical framework to help businesses bolster their security posture while demonstrating compliance with data protection legislation such as GDPR in Europe and Bermuda’s Personal Information Protection Act (PIPA).
How Cyber Tec Security can help
Navigating the transition to Willow needn’t be complicated. At Cyber Tec Security, we’re here to support organisations in adapting to the updated Cyber Essentials framework through:
- Gap analysis: We’ll assess your current security measures against the updated requirements and identify areas that need adjustment.
- Guided compliance support: Our team can provide clear, practical advice on meeting the updated Cyber Essentials standard.
- Training and resources: We offer training to help organisations and employees understand and implement the latest cybersecurity best practices.
Conclusion
While Willow raises the bar for Cyber Essentials certification in some areas, these changes are ultimately about helping organisations stay secure in an increasingly challenging digital world. With the right support, adjusting to the updated standard is entirely manageable – and, most importantly, it helps keep your business and your customers safe from cybercriminals.
If you need guidance on what Willow means for your organisation or you want to learn more about getting Cyber Essentials certification, contact the Cyber Tec Security team today.