IASME retired the current Montpelier Cyber Essentials question set on 28 April 2025. It has been replaced by Willow, a more detailed and updated version aligned with current cybersecurity expectations. The new question set raises the bar for organisations by introducing more specific guidance and expectations across a range of topics, especially around Thin Clients and Firewalls.
If you’re preparing to certify—or renew—from 28 April onwards, here’s what you need to know about the key differences.
What is Cyber Essentials?
Cyber Essentials is a government-backed certification scheme that sets out basic technical controls to help organisations protect themselves against common online threats. Cyber Essentials focuses on five key areas: firewalls, secure configuration, user access control, malware protection, and patch management. By meeting these standards, businesses can reduce their risk of cyber attacks and demonstrate a baseline level of cybersecurity to customers, partners, and suppliers.
What’s Changed in Cyber Essentials?
Clearer Scope Requirements
Willow clarifies the scope of Cyber Essentials. All user devices that access organisational data or services, including those connecting via cloud platforms, must be included. Montpelier was less explicit, particularly in its treatment of cloud-connected devices. This change removes ambiguity and reinforces the importance of covering all access points.
Additionally, organisations must provide more specific information about the devices in scope. It also asks for precise identification of thin clients and servers. The aim is to create a complete picture of the organisation’s technology estate, leaving less room for vague or incomplete answers.
Willow also emphasises the importance of remote working. All workers who work from home, regardless of the frequency of their remote work, must be included.
Finally, in Willow, all cloud services, like IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service), must be included in the scope. The requirements are more precise and broader than in Montpelier. Organisations can no longer assume some cloud platforms fall outside the certification’s boundaries.
Increased Focus on Thin Clients
Willow focuses more on using and managing thin clients—streamlined machines that connect to virtual desktops. It highlights the risks of modifying these devices and requires that they are regularly supported with security updates. Montpelier referred to thin clients but without the same depth of scrutiny.
Firewalls Rules Expansion
While both versions cover firewall configuration, Willow includes stricter requirements for boundary firewalls. It expects more detailed documentation, approval processes for exceptions, and reviews of configurations. This aims to limit exposure caused by poorly managed inbound rules.
Willow also expands on the role of software firewalls, especially for staff working remotely. It calls for the correct configuration of firewalls on all user devices, not just on the corporate network. Montpelier acknowledged software firewalls but without such focus on home and remote setups.
Stronger Password and Authentication Controls
Willow goes further than Montpelier on authentication. It promotes secure password practices, enforces the use of Multi-Factor Authentication (MFA) for external services, and introduces checks against common passwords. Login throttling—to prevent brute-force attacks—is also more clearly mandated.
Breach Reporting
Willow introduces clearer expectations on how organisations respond to breaches. This includes how incidents are reported and how the organisation learns from them. Montpelier was less stringent in these post-incident processes.
Cyber Insurance Eligibility
Willow includes new questions on cyber insurance. It outlines the criteria for organisations to qualify for automatic insurance and requests financial transparency, including details such as turnover. These questions help determine eligibility up front, which wasn’t as clearly outlined in Montpelier.
Final Thought
The shift from Montpelier to Willow makes the Cyber Essentials assessment more specific and practical. It reflects a maturing approach to cybersecurity—one that asks organisations to demonstrate how their systems are managed on a day-to-day basis. For businesses preparing for assessment after April 2025, now is a good time to review how you track devices, manage firewalls, support remote users, and use cloud services. The detail matters.
Worried about the new changes? Our Cyber Essentials platform can help you complete your certification quickly and efficiently. Contact us today to learn more about Cyber Essentials support.