What You Need to Know about Cyber Essentials Montpellier update

In April 2023, the National Cyber Security Centre (NCSC) introduced a new version of Cyber Essentials called Montpellier. This new version brings a few key changes compared to the older version, known as Evendine. In this blog post, we'll compare the two versions and highlight the differences.


The first change that stands out is the updated definition of "software." Montpellier now includes firmware in its scope of software, which covers operating systems, commercial off-the-shelf applications, plugins, interpreters, scripts, libraries, network software, and firewall and router firmware. This change was made because firewalls and routers are essential security devices, and their operating systems need to be kept up to date for optimal security.

Another significant change in Montpellier is the inclusion of asset management. Although asset management is not a specific Cyber Essentials control, it is a critical security function. By emphasising the importance of good asset management, Montpellier helps organisations to better protect their assets and reduce the risk of data breaches.

Montpellier also includes a link to the NCSC's BYOD (Bring Your Own Device) guidance. This addition provides further information and advice on the use of BYOD, which has become increasingly common in the workplace.

The third change is the clarification on including third-party devices. All end-user devices that an organisation owns and that are loaned to a third party must be included in the assessment scope. Montpellier includes a new table for clarity on this subject.

The device unlocking section has been updated in Montpellier to reflect that some configurations cannot be altered due to vendor restrictions. When the vendor does not allow configuration changes, it is essential to use the vendor's default settings to ensure optimal security.

The malware protection section has also been updated in Montpellier. It is now mandatory to ensure that a malware protection mechanism is active on all devices in scope. Additionally, Montpellier allows for the option to restrict the execution of applications to only approved applications that are restricted by code signing.


National Cyber Security Centre states that Montpellier also includes information on how using a zero-trust architecture affects Cyber Essentials. Zero-trust architecture is a security model that assumes that all users, devices, and applications are untrusted and need to be verified before being granted access to sensitive data or applications. By adopting a zero-trust architecture, organisations can better protect themselves against cyber-attacks.

Finally, Montpellier makes two-factor authentication (2FA) compulsory for all users on all cloud services instead of only admin accounts. 2FA adds an extra layer of security to the authentication process by requiring users to provide two forms of authentication instead of one.

In conclusion, Cyber Essentials Montpellier introduces several key changes that highlight the importance of good asset management, device security, and malware protection. The inclusion of firmware in the definition of software and the mandatory use of 2FA for all users on all cloud services are significant steps towards better cybersecurity. By following the guidelines outlined in Montpellier, organisations can better protect themselves against cyber-attacks and reduce the risk of data breaches.

Do check out our other blogs on Cyber Essentials & Cyber Essentials Plus certification

Step 1: Organisation Size

Step 2: Pick Cyber Essentials Package

  • Cyber Essentials Basic - CEB001

    £300 + VAT


    2 Days for Remediation

    1 Day Turnaround

    £25k Cyber Insurance*

    The package explained

    *Insurance details are on IASME website

  • Guided Cyber Essentials - CEB002

    £500 + VAT

    Everything in CEB001 plus


    Online/Phone Support

    *Insurance details are on IASME website

  • Cyber Essentials Plus - CEP001

    £1500 + VAT

    Everything in CEB002 Plus

    30 Day Remediation

    Systems Audit (remote)

    *Insurance details are on IASME website

  • Guided CE Plus - CEP002

    £2500 + VAT

    Everything in CEP001 plus

    Pre- systems Audit

    Gap Analysis report



    *Insurance details are on IASME website

Related Articles


Back to start
aberdeen skyline graphic