CE Version 3.2 for 2025-26 basics

Cyber Essentials 3.2 Willow for 2025-26

It might be over 10 years old but Cyber Essentials is always being reviewed to keep pace with technology and best practice. The next update to Cyber Essentials will be version 3.2 (Willow) will take effect from 28 April 2025. This means all applications started on or after this date will use the new requirements and questions set. For more information please read IASME’s blog on their website.

This version not much has really changed, the core requirements stay the same, it is mostly some tidying of language and definitions. So for most SME’s who are all ready doing Cyber Essentials there is nothing to worry about. Those who sub-set their scope there is now an extra verification test for the plus assessment.

Key Changes

• Under software, the term ‘plugins’ has been changed to ‘extensions’ for improved accuracy.
• References to ‘home working’ has been changed to ‘home and remote working’.
• Passwordless technology is now included in Cyber Essentials and is defined in the same way as multi-factor authentication, “passwordless authentication is an authentication method that uses a factor other than user knowledge to establish identity“
• The description that used to be ‘patches and updates’. will be changed to ‘vulnerability fixes’ as an umbrella term for all the different methods.
• When the Cyber Essentials self-assessment scope is not ‘whole organisation’, it must be verified by the Assessor that any sub-sets have been segregated correctly (extra physical test)
• All verification evidence must be retained by the Certification Body for the lifetime of the certificate

NCSC documents are available from below

• https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-2.pdf 
• https://www.ncsc.gov.uk/files/cyber-essentials-plus-test-specification-v3-2.pdf

If your business requires Cyber Essentials or you would like to know more, please 📧 contact us for more information