Cyber Essentials 2025: The End of Checkbox Theatre

Let’s not pretend most people loved the Cyber Essentials process before. At best, it was a proper baseline. At worst, it was a ritualistic paper chase that businesses sleepwalked through to win contracts.

But something seismic happened on 28 April 2025. The NCSC and IASME Consortium quietly rolled out the Willow question set, an overhaul of the CE questionnaire. And more importantly, they changed how Cyber Essentials Plus audits are conducted.

If you’ve relied on smoke, mirrors, and a pristine "demo device" that you frantically patch two hours before the auditor turns up, I’ve got bad news.

What Is the Willow Question Set?

The Willow update is the latest evolution of the Cyber Essentials self-assessment. It replaces the 2023 "Evendine" question set and adds significant clarification, stricter controls, and less room for interpretation.

Key Changes in the Willow Set:

• Software inventory requirements have been tightened. You must list all software in scope, not just OS and browsers.

• Clarifications around zero trust, cloud platforms, and home workers are more demanding.

• More precise language around account separation (e.g. admin vs standard accounts).

• Unsupported software? Even one instance puts you out of scope.

• New guidance around thin clients, virtualisation, and containerised environments.

This is not a minor wording tweak. This is a structural shift in what the scheme expects from you, and it’s a wake-up call for those who treated Cyber Essentials like a CV booster for bids.

Let’s Talk About the CE Plus Audit (And Why You Can’t Cheat It Anymore)

Here’s where things get juicy — and frankly, hilarious, if you’ve been behind the scenes of a CE+ audit before.

Historically, you, the auditee, decided which devices were tested. The “clever” ones had their private ceremony:

Step 1: Patch one laptop within an inch of its life.
Step 2: Disconnect it from the real network.
Step 3: Call it the “audit device.”
Step 4: Smile smugly as it passes with flying colours.

That game is now over.

New Audit Reality:

The CE+ auditor selects the devices and users — and gives you just 3 working days’ notice.

Three. That’s it. You don’t get to prepare a golden machine, you don’t get to coach the user, and you certainly don’t get to unplug half your network “for maintenance.”

And the devices aren’t pulled from a list you curate. The auditor will ask for a complete list of all in-scope endpoints and users, and then select random samples. If you can’t provide that list fast? That’s failure #1.

Translation?
You now need to secure everything, not just the decoy. That means genuine patch management, EDR, configuration hardening, and, brace yourself, actual policies enforced in practice.

If you’ve ever thought, “We’ll fix that after the audit,” the 2025 CE+ methodology has one thing to say:

Not on our f**king watch.

Real Implications for UK SMBs

Let’s break down what this means in practice, especially for small and mid-sized businesses in the UK that previously used Cyber Essentials as a minimum badge.

1. No more “Gold Device” exemptions

That demo laptop you kept in a cupboard, reserved for audit season, is now a museum piece. CE+ is looking at your actual attack surface. If that terrifies you — it should.

2. Patch Management Isn’t Optional

Devices must be fully patched within 14 days of available updates for high-risk vulnerabilities. This rule isn’t new, but now auditors will actively verify it across machines you didn’t choose.

Oh, and unsupported operating systems? Fail.

3. You’ll Need Real Asset Management

If you can’t produce a list of which devices are in scope within a few minutes, you’re dead in the water. The new rules assume that you have proper control over your estate. If you’re still using spreadsheets…… don’t.

4. Home Workers and Remote Devices Are Fair Game

The salesperson’s laptop, which was last seen in Malaga? It’s now a candidate for audit.

The guidance now explicitly requires controls to extend to remote users, including home broadband, MFA enforcement, and auto-lock.

CE is no longer about your head office firewall but your entire digital perimeter.

And For Cyber Essentials Basic?

Don’t think you’ve escaped if you’re not doing CE+. The Willow question set applies to all CE certifications, not just Plus.

The bar has been raised. What was acceptable fuzziness last year (e.g. “We sometimes apply patches via Group Policy… eventually”) is now a compliance risk.

Why This Change Had to Happen

Now here’s where we stop laughing and get serious.

Cyber Essentials was becoming a checkbox exercise. Thousands of businesses passed CE/CE+ with objectively insecure networks, because the scheme didn’t test the real-world picture.

Meanwhile, ransomware groups weren’t following the script. They didn’t care that your show device was patched. They hit you through a receptionist's old laptop running Windows 10 21h2 with no EDR and an open RDP port.

The new rules drag the scheme back into the real world. It’s uncomfortable, but necessary.

What Should You Do Now?

1. Stop F**king Lying to Yourself

If you’ve passed CE+ using only a single hand-picked device, it’s time to reassess your entire environment. CE+ is now a real test.

2. Get a Centralised Audit Tooling Stack

You will need:

• Continuous compliance monitoring

• Asset inventory

• Patch verification

• Endpoint protection with clear evidence of enforcement

Solutions like Microsoft Defender for Business and proper RMM tooling and EDR/SOC visibility become essential, not optional.

3. Review Your Scope. Properly.

If you exclude something from CE+ scope, you now need damn good justification. The guidance around scope is now crystal clear and frankly, stricter than ISO27001 in some respects.

4. Plan for Recertification Early

If your cert is up in 3–6 months, start prepping now. Don’t wait until your MSP throws together a 2-week remediation panic plan. Start validating your estate against Willow today.

5. Train Your People

Because let’s face it — many CE+ failures are human. Phishing, poor passwords, reused credentials. Fixing tech is easy. Fixing habits? That’s the challenge.

CE+ in 2025: From Badge to Battlefield

There’s a delicious irony here. Cyber Essentials was once seen as the entry-level of security frameworks. The one you got before moving to “serious” schemes like ISO27001.

But with the 2025 changes?

CE+ might be more rigorous, because it tests whether your controls exist, not just whether they’re written down.

This is welcome for those who have taken compliance seriously all along. For everyone else, it's time to grow up. There are no more training wheels.

Final Thoughts: A Better Scheme, Finally

Let’s be clear: this is a good change. Yes, it’s a massive headache for those who treated CE as paperwork theatre. But it will raise standards across the board.

Because let’s face it — if your CE+ audit fails under the new rules, you didn’t “fail the audit.” You failed reality.

And reality, unfortunately for some, doesn’t care what was on your ISO27001 certificate.