There’s a new version of our Cyber Essentials Toolkit just out which caters for the 2025 changes in the source documents for the scheme and the use of a new question set by IASME. The changes aren’t big by anyone’s criteria and may be regarded more as tweaks and clarifications, but it’s wise to be aware of them anyway.
What’s New in the April 2025 Release
For 2025 IASME has issued a new question set called “Willow” (the previous set was called “Montpellier”) which is used for certifications from 28th April 2025. There is also a new version of the accompanying “NCSC Requirements for Infrastructure” document which is now at Version 3.2. According to this document there are six changes; four definition or naming additions or amendments, and two updates to controls.
The definition changes are as follows:
“Software” now includes additional types such as firmware.
“Vulnerability fix” is widened to include actions you may need to take to cover off a vulnerability (such as configuration changes), in addition or instead of applying software patches.
“Passwordless authentication” has been added as a definition as this method is becoming more widespread.
"Home working” is now “home and remote working” to reflect the fact that people may work from locations that are not their home, but still need to be considered.
A section has been added to the User Access control to give guidance on passwordless authentication. This doesn’t go much beyond stating some common examples of such methods (such as biometrics, security keys and smartphone approvals) and pointing out that passwords are often the weakest link in authentication. However it does imply that such methods are acceptable for the purposes of Cyber Essentials certification.
The guidance for the Security Update Management control has been updated to reflect the fact that fixes are not always software code, and vulnerabilities may be closed via other recommended means such as configuration changes.
Updates to the Toolkit
As well as catering for these changes, we’ve taken the opportunity to add some additional documents to the Cyber Essentials Toolkit as follows:
AI Security Policy
Incident Response Plan Data Breach
Incident Management Policy
Privacy and Personal Data Protection Policy
We have also updated a number of documents to align them with recent developments, such as the widespread use of Windows 11, and to correct the odd formatting issue. All of the changes to the toolkit are set out in the usual way within the Release Notes for V6.
Final Thoughts
The NCSC reports over 33,000 organisations certified to the Cyber Essentials scheme, with more than three hundred and fifty certification bodies available for assistance. The scheme aims to strengthen and provide enhanced protection to users in an increasingly chaotic world and we hope it will continue to grow.