Cyber Essentials Plus v3.2 (Willow): What Changed - SureCloud

Cyber Essentials v3.2 — known by its question set name Willow — came into force on 28 April 2025, replacing the Montpellier question set. Three substantive changes cover authentication requirements, the definition of vulnerability fixes, and cloud scoping rules. The CE+ test specification was updated alongside.

Version note: This article covers Cyber Essentials v3.2 (Willow), which became mandatory on 28 April 2025. Cyber Essentials v3.3 is a separate update expected in April 2026 and is not covered here. 

Cyber Essentials Plus v3.2 is the independently assessed tier of the UK government's Cyber Essentials scheme, operated by the IASME Consortium on behalf of the National Cyber Security Centre (NCSC). It sets the minimum security baseline for UK organisations, and is a mandatory requirement for suppliers handling certain UK government contracts.

Cyber Essentials has two tiers. The standard Cyber Essentials certification is a self-assessment: organisations complete the Willow question set and a certifying body verifies the responses. Cyber Essentials Plus (CE+) requires independent technical testing by an accredited assessor, who verifies the same controls against the CE+ Test Specification v3.2. Both tiers are governed by the IASME Requirements for IT Infrastructure document, which reached version 3.2 in April 2025.

Note: IASME manages the Cyber Essentials scheme on behalf of NCSC. NCSC sets scheme policy; IASME administers certification and accredits the certifying bodies that carry out assessments. 

 Willow is the self-assessment question set introduced with Cyber Essentials v3.2, replacing Montpellier on 28 April 2025. The version number (v3.2) refers to the Requirements for IT Infrastructure document; 'Willow' is the name for the question set derived from it. Both terms refer to the same update. Any assessment account created from 28 April 2025 uses Willow. 

Under v3.2, MFA is now mandatory for every internet-facing service — not only cloud platforms and admin accounts as under v3.1 (Montpellier). Willow also formally recognises passwordless authentication methods for the first time.

1. Passwordless authentication accepted: Methods that eliminate the password entirely — including FIDO2 passkeys, biometric authentication tied to device credentials, and certificate-based authentication — now satisfy the authentication requirements.
2. MFA mandatory for all internet-facing services: MFA is required for any service accessible from the public internet. Where passwordless is not implemented, MFA must be in place.
3. Brute-force protection tightened: Specific thresholds for account lockout and rate limiting are now defined in the Willow question set. Under Montpellier, account lockout was required but thresholds were not formally specified.

Default passwords: Devices must have default passwords changed before being placed in scope. This requirement was restated with greater clarity in v3.2. 

Cyber Essentials v3.2 expands the definition of a 'vulnerability fix' beyond software patches. Under Montpellier, remediation was understood as applying patches. Willow states explicitly that a vulnerability fix may also include configuration changes, registry changes, or software removal.

The core remediation window is unchanged: High and Critical vulnerabilities — defined as those with a CVSS score of 7.0 or above, or where the vendor has not published a severity rating — must be addressed within 14 days of a fix becoming available. Software that has reached end-of-life (EOL) must be removed or network-isolated.

The substantive shift is in what triggers that 14-day window. If a vendor publishes a security advisory recommending a configuration change or registry edit to close a known vulnerability, that advisory constitutes an available fix. The 14-day clock starts from the date it is published. Organisations can no longer defer remediation on the grounds that no patch exists where a configuration workaround has been documented.

Quotable paragraph: Under Cyber Essentials v3.2, a vulnerability fix is any remediation that addresses a known security vulnerability, including software patches, configuration changes, registry changes, and software removal. If a vendor publishes a security advisory recommending a configuration or registry change, the 14-day remediation window for High and Critical vulnerabilities (CVSS 7.0 or above) starts from the date that advisory is published — not from the date a patch is released. 

Cyber Essentials v3.2 removes the flexibility organisations previously had to exclude cloud services from their assessment scope.

Any cloud service that stores, processes, or provides access to the organisation's data is now in scope. This applies to:

1. SaaS platforms such as Microsoft 365 and Google Workspace — organisations are responsible for MFA configuration, admin account protection, and licensed software management within their boundary
2. IaaS environments such as Microsoft Azure and AWS — scope extends to operating system, firewall configuration, and patch management within the organisation's control boundary
3. PaaS components where the organisation is responsible for configuration

Under previous versions, organisations had some flexibility to exclude certain SaaS or IaaS platforms from their assessment. Willow closes that gap entirely. If the service stores or touches your data, it is in scope.

The CE+ Test Specification was updated alongside Willow, making CE+ assessments more rigorous and consistent.

1. 'Illustrative' removed from the title: The previous version was the 'Illustrative Cyber Essentials Plus Test Specification', implying the methodology was advisory. The v3.2 document removes 'Illustrative' — the methodology is now the defined standard, not a reference point.
2. Scope verification now mandatory: Before technical testing begins, the assessor must confirm that the scope declared in the CE self-assessment matches the systems included in the CE+ assessment. This prevents scope narrowing between the two stages.
3. Defined sampling methodology introduced: Assessors must follow the sampling rules in the v3.2 specification when selecting devices, accounts, and services for testing. Sampling is no longer at assessor discretion.

Quotable paragraph: The Cyber Essentials Plus Test Specification v3.2 introduces three procedural changes: it removes the word 'Illustrative' from the document title (making the methodology a defined standard rather than guidance), mandates scope verification before technical testing begins, and introduces a fixed sampling methodology. CE+ assessors no longer have discretion over which devices, accounts, or services they select for testing. 

In addition to the three primary areas, Cyber Essentials v3.2 includes the following changes:

1. Home and remote working terminology updated to reflect hybrid working as a standard operating model rather than an exception.
2. Software definition expanded to explicitly include firmware, operating system components, and browser extensions within scope.
3. Least privilege formalised as an explicit control requirement: users must be granted only the access needed to perform their role.

Licensed software check added: organisations must demonstrate that in-scope software is properly licensed and supported. Unlicensed or unsupported software is now a documented control point. 

Cyber Essentials v3.2 applies to all UK organisations seeking Cyber Essentials or CE+ certification, including private sector businesses, public sector bodies, and supply chain organisations required to hold certification as a condition of contracting.

All assessment accounts created from 28 April 2025 use Willow. Existing Montpellier certificates remain valid until expiry. Renewals from 28 October 2025 must use Willow.

1. Conduct a cloud inventory

List every cloud service in use across the organisation — SaaS, IaaS, and PaaS — and confirm whether it stores, processes, or provides access to business data. Each such service must be included in scope for both the CE self-assessment and the CE+ assessment.

2. Audit MFA across all internet-facing services

Map every service accessible from the public internet, not only cloud platforms, and confirm that MFA or a compliant passwordless method is in place. Pay particular attention to VPN gateways, remote desktop services, and web-based management interfaces.

3. Review your vulnerability fix process

Update your vulnerability management process to capture configuration-based and registry-based remediations, not only patches. Vendor advisories recommending configuration changes as mitigations must be tracked and actioned within the 14-day window where the CVSS score is 7.0 or above.

4. Align scope between CE self-assessment and CE+ testing

Confirm that the scope declared in the CE self-assessment accurately reflects all in-scope systems, services, and cloud environments. Assessors must verify scope alignment before technical testing begins. Discrepancies will require resolution before the assessment can proceed.

5. Prepare evidence in advance

Gather evidence for each control area: MFA configuration records, vulnerability scan reports, patch and remediation records (including configuration changes), cloud service settings, and access control policies. Evidence must be audit-ready — not assembled in the weeks before an assessment.

6. Check for EOL software

Review all in-scope devices and systems for software that has reached end-of-life and is no longer receiving security updates. EOL software must be removed or network-isolated before the assessment.

Cyber Essentials certification is annual. The evidence, controls, and remediation records that CE+ assessors review must be maintained continuously — not assembled in the weeks before an assessment.

The v3.2 changes make continuous maintenance more important, not less. Expanded vulnerability fix scope means remediation records must capture configuration changes and vendor advisory responses alongside patch logs. The new scope verification requirement means cloud inventories and system registers must be kept current between cycles — not reconstructed at renewal time.

A GRC platform supports this by mapping controls to the Cyber Essentials requirements, tracking remediation activities against the 14-day vulnerability fix window, and maintaining a centralised evidence library. SureCloud's GRC platform is built to support Cyber Essentials compliance as a continuous programme — so the evidence is there when you need it, not gathered under pressure when the assessment window opens.

1. Cyber Essentials v3.2 (Willow) came into force on 28 April 2025, replacing Montpellier. All new assessments from that date use Willow.
2. The three substantive changes are: MFA mandatory for all internet-facing services (passwordless now accepted); 'vulnerability fix' expanded to include configuration and registry changes; cloud services storing or processing business data cannot be excluded from scope.
3. The CE+ test specification was updated: scope verification is now mandatory before testing, 'Illustrative' has been removed from the title, and a defined sampling methodology applies.
4. The 14-day remediation window for High and Critical vulnerabilities (CVSS 7.0+) is unchanged but now applies to configuration-based fixes, not only patches.
5. Existing Montpellier certificates remain valid until expiry. Renewals from 28 October 2025 must use Willow.
6. Cyber Essentials v3.3 is a separate update expected in April 2026 and is outside the scope of this article.

1. NCSC Cyber Essentials overview
2. IASME Cyber Essentials
3. IASME Requirements for IT Infrastructure v3.2 (available via the IASME website)
4. IASME Cyber Essentials Plus Test Specification v3.2 (available via the IASME website)
5. CVSS scoring system — FIRST.org