Cyber Essentials certification remains one of the most effective and affordable ways for UK businesses to strengthen their cyber security in 2025. The scheme is government-backed, developed by the NCSC and delivered through IASME, and it is increasingly required in tenders, insurance policies and supply chain contracts.

This year brings new requirements: from 28 April 2025, a new Question Set, known as Willow, applies to all certifications. Organisations must also confirm they have read the updated Cyber Essentials Requirements for IT infrastructure document as part of their application.

In this blog, we explain what has changed, outline the two certification levels and provide a step-by-step process to help you get Cyber Essentials certified in 2025.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against common cyber attacks. By implementing five basic technical controls, organisations can prevent up to 80% of the most common threats.

Certification shows customers, partners and regulators that you take security seriously and helps you meet contract and insurance requirements.

There are two levels of certification:

• Cyber Essentials – a self-assessment covering the five controls.
• Cyber Essentials Plus – an externally audited version that verifies your implementation. You must achieve Cyber Essentials before progressing to Plus.

The five Cyber Essentials controls

Certification focuses on five technical controls. These remain unchanged in 2025, but your implementation will be tested against the updated Willow Question Set.

• Firewalls and routers – Secure configuration of network devices, blocking unauthorised access and changing default passwords.
• Software updates – Keeping systems patched within 14 days of critical or high-risk vulnerabilities being disclosed.
• Malware protection – Using anti-malware software, whitelisting or sandboxing to prevent harmful code from executing.
• Access control – Managing user accounts, enforcing unique credentials and using MFA (multi-factor authentication) for Cloud services.
• Secure configuration – Removing unnecessary accounts and software, disabling insecure defaults, and locking unattended devices.

What has changed in 2025

The April 2025 update introduces three key changes to the certification process:

• New Question Set (Willow) – All applications after 28 April must use the Willow Question Set, which updates and clarifies requirements across the five control areas.
• Updated IT infrastructure requirements – Applicants must confirm they have read and applied the new guidance document. This ensures scoping decisions and control implementations are consistent.
• Board-level accountability – As before, the self-assessment questionnaire must be signed off at board level, but the updated process places stronger emphasis on leadership responsibility for cyber security.

These changes make preparation more important. If you have certified before, you cannot simply resubmit last year’s answers – you must review your scope, reassess your controls and check compliance against Willow.

Cyber Essentials vs Cyber Essentials Plus

Both certifications demonstrate commitment to cyber security, but they differ in scope and assurance:

• Cyber Essentials – Self-assessment questionnaire. Quick and cost-effective, typically achieved in a few days if controls are in place.
• Cyber Essentials Plus – Independent audit. Includes vulnerability scans and hands-on testing to confirm that your systems meet the standard. Provides greater assurance to customers and insurers.

Organisations often start with Cyber Essentials and progress to Plus once they have confidence in their controls. For higher-risk sectors (finance, healthcare, defence, government supply chains), Cyber Essentials Plus is often expected.

Step-by-step guide to Cyber Essentials certification in 2025

To help you prepare, here is a clear process for getting certified:

1. Download and read the requirements
   Access the Requirements for IT infrastructure and confirm your team understands the 2025 updates. This document is mandatory reading before you begin.
2. Define your scope
   Clearly identify which parts of your IT infrastructure are in scope. This typically includes all devices, networks and services used to access company data. Poor scoping is one of the most common reasons applications fail.
3. Review your controls
   Map your systems against the five technical controls. Check that all devices are patched, MFA is enabled for Cloud services, default settings are secured, and anti-malware defences are effective.
4. Complete the SAQ self-assessment questionnaire
   Answer the Willow Question Set honestly and in detail. The SAQ acts as a compliance statement and must be signed by a board member or equivalent.
5. Submit your application
   Send your SAQ to an IASME-accredited certification body such as IT Governance. An assessor will review your answers and either issue a pass or request clarification.
6. Achieve Cyber Essentials certification
   If successful, you will receive your Cyber Essentials certificate and (if eligible) free cyber insurance of up to £25,000.
7. Progress to Cyber Essentials Plus (optional)
   Book an external audit to achieve Cyber Essentials Plus certification. This involves vulnerability scans and a technical review to verify your controls in practice.

Common pitfalls to avoid

Many organisations fail their first attempt because of avoidable mistakes. The most common pitfalls include:

• Weak scoping – Leaving out devices or cloud services that should be in scope.
• MFA gaps – Failing to enforce multi-factor authentication across all cloud accounts.
• Outdated software – Using unsupported operating systems or unpatched applications.
• Default settings – Retaining factory default passwords or failing to lock down administrative access.
• Incomplete evidence – Submitting vague answers in the SAQ without demonstrating control implementation.

Address these issues early to avoid delays and retests.

Why Cyber Essentials matters in 2025

Cyber Essentials is more than a checklist. For small to medium-sized organisations in particular, it provides:

• Protection against common attacks – Preventing the majority of commodity malware and phishing-driven intrusions.
• Customer trust – Demonstrating due diligence to clients, partners and insurers.
• Market access – Meeting the security requirements of government contracts and supply chain frameworks.
• Cost-effective assurance – Achievable at a fraction of the cost of ISO 27001 or other frameworks.

With cyber insurance premiums rising and regulators focusing on supply chain resilience, Cyber Essentials certification is an increasingly valuable badge of assurance.

Cyber Essentials 2025 checklist

To recap, here is a practical Cyber Essentials Plus checklist for 2025:

• Read the Requirements for IT infrastructure and understand Willow.
• Define a clear and accurate scope.
• Verify implementation of all five controls.
• Enable MFA for all cloud services.
• Remove unsupported or unpatched software.
• Secure default settings and admin accounts.
• Complete and submit the SAQ.
• Progress to Plus by arranging an external audit.

How IT Governance can help

As one of the original Cyber Essentials certification bodies, IT Governance has issued more than 9,000 certificates. Our services range from simple self-certification packages to fully managed consultancy programmes.

Whether you want to self-certify or achieve Plus, we have the experience, tools and services to help you succeed.