Cyber Awareness Training Data Breaches and their consequences General Security Issues Identity and Access Management Ransomware, Phishing and other Malware Risk Analysis and Security Strategy Security Tools Working Practices

Cyber Essentials – How has it changed?

I think these days, pretty much everyone is aware of the UK government-backed Cyber Essentials scheme and those who have undertaken certification or are considering it, will, in the last 12 months, have been subject to the introduction of the “Willow” question set (v3.2), which became the standard for certifications from 28 April 2025. It didn’t fundamentally change the five Cyber Essentials controls, but it did make several requirements more explicit and raised expectations around asset management, authentication, remote working, and vulnerability remediation. 

For most organisations, the Willow update was not a complete overhaul. The real shift is that Cyber Essentials is becoming:

  • More focused on asset visibility
  • More aligned with modern cloud environments
  • More accepting of passwordless security
  • More rigorous about vulnerability management
  • More realistic about hybrid and remote working

If your organisation already has mature inventory management, MFA, vulnerability remediation, and cloud governance processes, the changes are relatively straightforward. If not, these areas are where most compliance effort will now be concentrated. 

Key implications for organisations

Asset management is now much harder to ignore

A significant practical change was a stronger emphasis on maintaining a complete inventory of:

  • Devices
  • Software
  • Cloud services
  • Network equipment
  • BYOD assets used for work

Organisations now need a much better visibility of what is connected to their environment. For many SMEs, this means formalising asset registers rather than relying on informal spreadsheets or staff knowledge. 

The Implication being that certification becomes more difficult if you cannot prove what systems are in scope. This may mean investing in discovery and asset-management processes.

Firmware is now explicitly in scope

The definition of software has been expanded to include firmware on devices such as:

  • Firewalls
  • Routers
  • Network appliances

Previously, some organisations focused almost entirely on operating systems and applications. Now, neglected network-device firmware can become a compliance issue.  The implication being that patch management programmes need to include infrastructure devices, not just laptops and servers.

“Patches” became broader “vulnerability fixes”

Cyber Essentials no longer focuses only on installing vendor patches.

The new language recognises that vulnerabilities may be fixed through:

  • Configuration changes
  • Registry edits
  • Vendor scripts
  • Other remediation methods

The expectation is that vulnerabilities rated CVSS 7.0+ are addressed regardless of how the vendor delivers the fix.  Again, there is an implication that organisations need a vulnerability-management mindset rather than a simple patching mindset.

Passwordless authentication is now recognised

The Willow update formally acknowledges modern authentication methods such as:

  • Passkeys
  • Biometrics
  • Security keys
  • Authenticator push notifications

These can satisfy MFA requirements where implemented correctly. 

This is good news for organisations moving away from passwords. It aligns Cyber Essentials more closely with modern identity-security strategies and NCSC guidance on passkeys.  Frustratingly though, I worked with a client recently to obtain CE and the assessor didn’t know what a passphrase was and it had to be explained to him.

Remote working is treated more broadly

The terminology changed from “home working” to “home and remote working.”

That sounds minor, but it reflects a wider scope including:

  • Hotels
  • Cafés
  • Shared workspaces
  • Other untrusted networks

I’ve blogged about this quite a bit and security controls need to work wherever employees connect from, not just from a home office.  Does a VPN suffice, maybe but maybe not.

Greater scrutiny of Bring Your Own Device (BYOD)

Now organisations are expected to have:

  • Clear BYOD policies
  • Device security controls
  • User responsibilities documented
  • Appropriate protection such as encryption and screen locking

Informal BYOD arrangements can be riskier from both a compliance and security perspective.

V3.3 (“Danzell”)

As if that wasn’t enough NCSC has published v3.3 (“Danzell”) requirements effective from April 2026, which further tighten areas such as MFA and cloud-service requirements. Organisations that have only just adapted to Willow should already be reviewing the next revision to avoid another compliance scramble next renewal cycle. 

What changed in the Danzell question set?

The five Cyber Essentials control areas remain the same:

  • Firewalls
  • Secure Configuration
  • User Access Control
  • Malware Protection
  • Security Update Management

However, Danzell asks more detailed and specific questions about how these controls are implemented and evidenced. 

Key themes covered by the Danzell questions

Multi-Factor Authentication (MFA)

The questionnaire now requires organisations to identify all cloud services in use and confirm MFA is enabled where available. Missing MFA on supported cloud services can result in an automatic failure. 

Typical questions include:

  • What cloud services are used?
  • Is MFA enabled for all users?
  • Are administrator accounts protected by MFA?
  • What authentication methods are used?

Cloud Service Scope

Danzell explicitly brings cloud services into scope, including:

  • Microsoft 365
  • Google Workspace
  • Salesforce
  • Slack
  • Zoom
  • Cloud storage platforms

Organisations must declare these services and demonstrate appropriate security controls. 

Typical questions include:

  • Which cloud services store or process business data?
  • How are accounts managed?
  • How is access removed when users leave?

User Access Control

The questionnaire places greater emphasis on:

  • Administrative accounts
  • Privileged access management
  • Account lifecycle management

Typically questions include:

  • Are administrator accounts separate from standard user accounts?
  • How are privileged accounts controlled?
  • How are unused accounts identified and removed?

Industry discussions indicate auditors are applying the separate-admin-account requirement strictly. 

Security Update Management

Danzell asks for clearer evidence regarding:

  • Operating system patching
  • Application patching
  • Firmware updates
  • Patch deployment timescales

Applicants need to be able to identify:

  • How are vulnerabilities are identified?
  • Are high-risk vulnerabilities patched within 14 days?
  • How is firmware kept up to date?

The 14-day patching requirement is now a critical assessment point. 

Password and Authentication Controls

Questions now focus on:

  • Minimum password length
  • Password managers
  • Common-password blocking
  • Passwordless technologies and passkeys where used

Cyber Essentials v3.3 introduced a minimum 12-character password requirement in many scenarios. 

Structure of the questionnaire

The Danzell question set generally requires organisations to provide:

  • Asset inventories
  • Cloud service inventories
  • User account information
  • Details of security policies
  • Evidence of patch management processes
  • Details of MFA deployment
  • Administrative account controls

Assessors may ask follow-up questions if answers are unclear or inconsistent. 

What, typically, is the effect on SMEs?

This will change from company to company of course, many will already have much of this covered and some won’t.  Many will require guidance and assistance in making sure that they are prepared to what is now required, and that guidance will need to focus on how they need to change to meet the requirement.

But arguably the biggest operational issue is that CE now requires Owners/CEOs/Boards to certify that they will maintain the standard through its 12-month lifecycle, and not just at the point of certification.  That means monitoring their estate to maintain compliance, constantly, which in turn means having the means and resource to do it.  Not easy for many SMEs and they will be worried about cost.

The obvious answer though is a managed service.  SMEs often outsource their IT environment and see benefits in terms of cost and operational efficiency.  The same can be said for Cyber Security and monitoring, but the mindset tends to be different.  There is still the thought that their IT outsourcing company has this covered, or that cyber is a bit of black art and it will be expensive.

Let’s face it, the majority of SMEs aren’t going to try and hire cyber expertise full time, it would be expensive and unnecessary.  Having a managed service spreads cost and makes it affordable.  If you have a service that offers:

  • Continuous monitoring of endpoints, servers, and some cloud environments
  • Monitoring patching, including CVEs issued by vendors and comparing them against your estate
  • Vulnerability assessment
  • Rapid detection of ransomware, malware, insider threats, and advanced attacks
  • Expert-led response
  • Phishing simulations
  • Cyber awareness training programme
  • Dark web monitoring

Then you are a long way towards meeting the requirement for continuous monitoring and assessment, and if you can do this for £15-£18 per user per month, then it can be very affordable.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top