Introduction
In a world of ever-evolving cyber threats, achieving a robust cybersecurity posture is essential. One way for organisations to ensure their systems are protected from common forms of cyber attack is through the implementation of technical controls relating to the Cyber Essentials scheme. But what do references to ‘Willow’ and ‘Montpellier’ mean when it comes to Cyber Essentials? Knowing the difference can be important for an organisation’s compliance status and organisational goals.
What Is Cyber Essentials?
Cyber Essentials is a UK government backed scheme and the recommended minimum baseline standard for cyber security for organisations of all sizes in UK. It’s an annually renewable certification scheme that’s aligned to five technical controls designed to prevent the most common forms of internet-based cyber security threats. The scheme has two levels, a verified self-assessment questionnaire and a technical audit of IT systems.
What Are Montpellier and Willow?
Willow and Montpellier are names of the question sets and requirements associated with the Cyber Essentials scheme . Montpellier relates to the current versions and Willow to the newer version.
Montpellier relates to the current question set and Version 3.1 of the Requirements for Infrastructure, this is effective until 28th April 2025.
Willow is the name of the newer question set and Version 3.2 of the Requirement for Infrastructure, effective from 28th April 2025.
What’s meant by ‘question set’ and ‘requirements’ and how are they ‘changing’?
IT ‘requirements’ are set as part of the Cyber Essentials scheme to explain the reason for each of the technical controls, the aim and the associated detail. The ‘question set’ is the associated list of questions that an organisation must provide a response to, as part of the Cyber Essentials certification process. These can be downloaded from the IASME website. The changes are aimed at clarifying the requirements, along with keeping the scheme up to date and effective.
Why is Willow replacing Montpellier?
Technology is constantly evolving and cyber criminals are constantly adapting. To stay ahead and keep up to date with these changes, the Cyber Essentials standard must also evolve.
Additionally, applying updates to the requirements and question set helps both NCSC (as technical authority) and IASME (as delivery partner) clarify the expectations of the scheme, with a view to remove any uncertainty and to continuously improve.
What’s the difference between Willow and Montpellier?
One of the biggest changes in Willow relates to the term “Vulnerability Fixes”. This term has been introduced to help clarify what’s required to address known weaknesses for devices that access organisational data. Specifically it defines these as “patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability”. The intent is to ensure systems are protected from common forms of cyber attack – even if the vendor recommends a manual configuration change, rather than a software patch.
Another key difference is that “password-less authentication” is introduced as part of Willow. This relates to stronger forms of authentication being used for systems, rather than traditional passwords. Examples include biometrics (fingerprints and facial recognition), security tokens (USB or smart cards), one-time codes (temporary codes sent by email) and push notifications (a prompt on a smartphone to approve or deny a login attempt). The intent is to ensure there’s support for reducing the reliance on passwords (as using passwords alone can be a weak link in cyber security).
Definitions have also been updated – in order to explain things more clearly. ‘Software’ has changed to reference plugins, rather than extensions, and the term ‘vulnerability fix’ has been introduced (as described above). There’s also reference to ‘home and remote working’ instead of ‘home working’ to help clarify the terminology and reflect modern working environments.
What else is changing?
The test specification for Cyber Essentials Plus is being updated as part of the V3.2 release, wth the newer version being available for download from the IASME website and referencing changes to the “verification of scope, sub-sets and sampling”.
Breaking each of these down slightly, it means that before an active audit of Cyber Essentials Plus (Level 2) can begin, activity must take place to:
- Verify scope against Level 1 (Cyber Essentials) certification – to ensure a match between the two levels of certification in terms of devices being referenced
- Verify that any sub-sets have been segregated appropriately – to ensure any devices that are considered to be out of scope are appropriately separated
- Identify samples that will be tested and when the testing will occur – to ensure there’s clarity on the devices that will be chosen for review, as part of the Level 2 audit
How can RB Consultancy Ltd guide you through the changes?
RB Consultancy Ltd are a certification body for both levels of Cyber Essentials. We’re also the first and only NCSC Assured Service Provider and Cyber Advisor in our area. This means we have the necessary skills to help organisations navigate the whole (end to end) process relating to Cyber Essentials and Cyber Essentials Plus, along with the implementation of the technical controls.
Conclusion
Understanding the difference between Willow and Montpellier should help organisations prepare for changes that will take place on 28th April 2025. These changes are associated with the question set and version of the Cyber Essentials requirements. The update relates to clearer language, along with more emphasis on passwordless authentication and vulnerability fixes. The test specification for Cyber Essentials Plus is also being updated to ensure verification takes place relating to scope, sub-sets and sampling. Documentation relating to these changes are available on the IASME website. If you’d like to speak about these changes, please arrange a call and we’d be happy to discuss in more detail.
FAQs
Why is Cyber Essentials changing from Montpellier to Willow?
To ensure the scheme evolves, continuously improves and continues to protect organisations against common forms of cyber attack.
Which Is Best… Willow or Montellier?
Montpellier will remain effective until 28th April 2025, at which point Willow will take over. This reflects the changes from (current) version 3.1 requirements and question set to (newer) version 3.2.
What else will change as part of Willow?
The Cyber Essentials Plus test specification is changing, with more focus on the verification of scope, sub-sets and sampling before an active audit commences.
Are the certification charges and costs changing for Willow?
No, certification charges and costs remain the same for both Willow and Montpellier.
What should organisations do to prepare for Willow?
Organisations should review the updated question set and be familiar with the latest version of requirements for IT infrastructure (version 3.2). Organisations may also choose to seek guidance from Cyber Essentials experts such as NCSC Assured Service Providers (for consultancy services) and IASME certification bodies (for assessment).