< All blogs

CertiKit Cyber Essentials Toolkit V6

Posted on April 29th, 2025 | Written by Ken Holmes.

There’s a new version of our Cyber Essentials Toolkit just out which caters for the 2025 changes in the source documents for the scheme and the use of a new question set by IASME. The changes aren’t big by anyone’s criteria and may be regarded more as tweaks and clarifications, but it’s wise to be aware of them anyway.

What’s New in the April 2025 Release

For 2025 IASME has issued a new question set called “Willow” (the previous set was called “Montpellier”) which is used for certifications from 28th April 2025. There is also a new version of the accompanying “NCSC Requirements for Infrastructure” document which is now at Version 3.2. According to this document there are six changes; four definition or naming additions or amendments, and two updates to controls.

The definition changes are as follows:

  • “Software” now includes additional types such as firmware.

  • “Vulnerability fix” is widened to include actions you may need to take to cover off a vulnerability (such as configuration changes), in addition or instead of applying software patches.

  • “Passwordless authentication” has been added as a definition as this method is becoming more widespread.

  • "Home working” is now “home and remote working” to reflect the fact that people may work from locations that are not their home, but still need to be considered.

 

A section has been added to the User Access control to give guidance on passwordless authentication. This doesn’t go much beyond stating some common examples of such methods (such as biometrics, security keys and smartphone approvals) and pointing out that passwords are often the weakest link in authentication. However it does imply that such methods are acceptable for the purposes of Cyber Essentials certification.

The guidance for the Security Update Management control has been updated to reflect the fact that fixes are not always software code, and vulnerabilities may be closed via other recommended means such as configuration changes.

Updates to the Toolkit

As well as catering for these changes, we’ve taken the opportunity to add some additional documents to the Cyber Essentials Toolkit as follows:

  • AI Security Policy

  • Incident Response Plan Data Breach

  • Incident Management Policy

  • Privacy and Personal Data Protection Policy

We have also updated a number of documents to align them with recent developments, such as the widespread use of Windows 11, and to correct the odd formatting issue. All of the changes to the toolkit are set out in the usual way within the Release Notes for V6.

Final Thoughts

The NCSC reports over 33,000 organisations certified to the Cyber Essentials scheme, with more than three hundred and fifty certification bodies available for assistance. The scheme aims to strengthen and provide enhanced protection to users in an increasingly chaotic world and we hope it will continue to grow.

Written by

Ken Holmes

Ken Holmes

Managing Director

CertiKit’s Managing Director and Lead Toolkit Creator. Ken is a CISSP-qualified security and data protection specialist who also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E).

Tags:

we can help

How can CertiKit help with your compliance?

CertiKit provides a variety of solutions, including Compliance Toolkits, ISO services, and a Cyber Awareness Training Platform, designed to help you meet your compliance requirements with ease.

Our toolkits feature a comprehensive collection of expertly created, user-friendly templates and guides, along with a perpetual license that includes ongoing updates and expert support—ensuring you have assistance whenever you need it.

More updates & news

View all news