Introduction
In a world of ever-evolving cyber threats, achieving a robust cybersecurity posture is essential. One way for organisations to ensure their systems are protected from common forms of cyber attack is through the implementation of technical controls relating to the Cyber Essentials scheme. But what do references to ‘Willow’ and ‘Montpellier’ mean when it comes to Cyber Essentials? Knowing the difference can be important for an organisation’s compliance status and organisational goals.
What Is Cyber Essentials?
Cyber Essentials is a UK government backed scheme and the recommended minimum baseline standard for cyber security for organisations of all sizes in UK. It’s an annually renewable certification scheme that’s aligned to five technical controls designed to prevent the most common forms of internet-based cyber security threats. The scheme has two levels, a verified self-assessment questionnaire and a technical audit of IT systems.
What Are Montpellier and Willow?
Willow and Montpellier are names of the question sets and requirements associated with the Cyber Essentials scheme:
- Willow relates to Version 3.2 of the Requirement for Infrastructure, which became effective from 28th April 2025
- Montpellier relates to Version 3.1 of the Requirements for Infrastructure, which was effective until 28th April 2025
- With Cyber Essentials being an annual certification, applicants will see a difference during recertification and may wish to be aware of the changes
What’s meant by ‘question set’ and ‘requirements’ and how are they ‘changing’?
IT ‘requirements’ are part of the Cyber Essentials scheme – they set out what is needed to be compliant with the scheme and link to five key technical controls. The ‘question set’ is the associated list of questions that an organisation must provide a response to, as part of the Cyber Essentials certification process. Documents relating to the requirements and question set can be downloaded from the IASME website. The changes are aimed at clarifying the requirements, along with keeping the scheme up to date and effective.
Why is Willow replacing Montpellier?
Technology is constantly evolving and cyber criminals are constantly adapting. To stay ahead and keep up to date with these changes, the Cyber Essentials standard must also evolve. Additionally, applying updates to the requirements and question set helps both NCSC (as technical authority) and IASME (as delivery partner) clarify the expectations of the scheme, with a view to remove uncertainty and continuously improve.
What’s the difference between Willow and Montpellier?
One of the biggest changes in Willow relates to the term “Vulnerability Fixes”. This term has been introduced to help clarify what’s required to address known weaknesses for devices that access organisational data. Specifically it defines these as “patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability”. The intent is to ensure systems are protected from common forms of cyber attack – even if the vendor recommends a manual configuration change, rather than a software patch.
Another key difference is that “password-less authentication” is introduced as part of Willow. This relates to stronger forms of authentication being used for systems, rather than traditional passwords. Examples include biometrics (fingerprints and facial recognition), security tokens (USB or smart cards), one-time codes (temporary codes sent by email) and push notifications (a prompt on a smartphone to approve or deny a login attempt). The intent is to ensure there’s support for reducing the reliance on passwords (as using passwords alone can be a weak link in cyber security).
Definitions have also been updated – in order to explain things more clearly. ‘Software’ has changed to reference plugins, rather than extensions, and the term ‘vulnerability fix’ has been introduced (as described above). There’s also reference to ‘home and remote working’ instead of ‘home working’ to help clarify the terminology and reflect modern working environments.
What else is changing?
The specification for Cyber Essentials Plus testing is also changing for V3.2. This can be downloaded from the IASME website and references key changes to the “verification of scope, sub-sets and sampling”. Breaking each of these down, it means that before an active audit of Cyber Essentials Plus (Level 2) can begin, activity must take place to:
- Verify scope against Level 1 (Cyber Essentials) certification – to ensure a match between the two levels of certification in terms of devices being referenced
- Verify that any sub-sets have been segregated appropriately – to ensure any devices that are considered to be out of scope are appropriately separated
- Identify samples that will be tested and when the testing will occur – to ensure there’s clarity on the devices that will be chosen for review, as part of the Level 2 audit
How can RB Consultancy Ltd guide you through the changes?
RB Consultancy Ltd are a certification body for both levels of Cyber Essentials. We’re also the first and only NCSC Assured Service Provider and Cyber Advisor in our region. This means we have the necessary skills to help organisations navigate the whole (end to end) process relating to Cyber Essentials and Cyber Essentials Plus, along with the implementation of the technical controls.
Conclusion
Understanding the difference between Willow and Montpellier should help organisations transition through the changes. These changes are associated with the question set and version of the Cyber Essentials requirements. The update relates to clearer language, along with more emphasis on passwordless authentication and vulnerability fixes. The changes to the test specification for Cyber Essentials Plus ensure verification takes place relating to scope, sub-sets and sampling. Documentation relating to these changes are available on the IASME website. If you’d like to speak about these changes, please arrange a call and we’d be happy to discuss in more detail.
FAQs
Why is Cyber Essentials changing from Montpellier to Willow?
To ensure the scheme evolves, continuously improves and continues to protect organisations against common forms of cyber attack.
Which Is Best… Willow or Montpellier?
Both standards are good, however Willow is the latest release – it aims to be clearer, support changing dynamics of threat actors and keep the scheme up to date.
What else changes as part of Willow?
The Cyber Essentials Plus test specification – with more focus on the verification of scope, sub-sets and sampling before an active audit commences.
Are the certification charges and costs changing for Willow?
No, certification charges and costs remain the same for both Willow and Montpellier.
What should organisations do?
Organisations should review the updated question set and be familiar with the latest version of requirements for IT infrastructure (version 3.2). Organisations may also choose to seek guidance from Cyber Essentials experts such as NCSC Assured Service Providers (for consultancy services) and IASME certification bodies (for assessment).
