Security update management (patching)

What this control covers

    Security update management requires that software, operating systems, firmware and applications are kept up to date with security patches applied within defined timeframes. Cyber Essentials requirements emphasise identifying which systems are in scope, knowing what software is installed, and ensuring that critical and high‑risk vulnerabilities are addressed promptly through patching or mitigation.

    Unpatched systems are a major cause of successful attacks, so regular, structured patching closes known vulnerabilities that commodity attackers routinely scan for and exploit. Combining timely patching with the other four controls greatly reduces the window of opportunity in which an attacker can use off‑the‑shelf exploits to compromise systems, which is central to the scheme’s protective effect.

    What assessors expect to see

      Assessors expect all in-scope software and operating systems to be vendor supported and kept up to date with security patches.

      This includes:

      • Timely installation of security updates
      • Removal or isolation of unsupported software
      • Update mechanisms enabled and functioning
      • Clear understanding of which devices and applications are in scope

      Cloud services and third-party platforms must also be supported and patched by the provider.

      Common reasons organisations fail

        This is one of the most common failure areas.

        Typical issues include:

        • Use of end-of-life operating systems or applications
        • Delayed patching beyond acceptable timeframes
        • Lack of awareness of all in-scope software
        • Unsupported plugins, add-ons, or dependencies
        • Assuming cloud services remove all patching responsibility

        In CE+, assessors will actively verify patch levels on devices.

        Practical tips for SMEs

          • Maintain an inventory of devices and software
          • Enable automatic updates wherever possible
          • Monitor vendor end-of-life announcements
          • Remove or replace unsupported software promptly
          • Test updates on a small subset of systems if needed, but do not delay unnecessarily

          This guidance reflects common assessor interpretations and is intended to support understanding of Cyber Essentials requirements.