Cyber Essentials Controls
Security Update Management
Security update management is a key part of Cyber Essentials. It is designed to protect devices and software against known vulnerabilities by ensuring that vendor-approved fixes are applied promptly, reducing the window of opportunity for attackers. Because unpatched software remains one of the most common ways cyber criminals gain access to systems, keeping software and network devices up to date, applying vulnerability fixes quickly, enabling automatic updates where possible, and removing unsupported software are all essential steps in reducing exposure to known vulnerabilities and strengthening overall cyber resilience.
Why Vulnerability Fixes Matter
Software is made up of thousands of lines of code, and over time vulnerabilities are discovered. When this happens, reputable vendors release fixes to correct the issue. If those fixes are not applied, the vulnerability remains open and may be exploited by cyber criminals.
Under Cyber Essentials, a vulnerability fix is not limited to a standard patch or software update. It can include any vendor-approved method used to remediate a known issue, including:
- patches
- updates
- registry changes
- configuration changes
- scripts
- any other vendor-approved remediation mechanism
Where a vulnerability fix requires more than one action, such as applying a patch alongside a configuration change, all elements must be completed for the fix to be considered fully implemented in cyber essentials.
Vulnerability Fix Timeframes
Cyber Essentials requires security updates and other vulnerability fixes to be applied within 14 days of release where:
- the vendor rates the vulnerability as critical or high risk
- the vulnerability has a CVSS v3 base score of 7.0 or above
- the vendor does not provide a severity rating
Failure to meet these requirements results in an automatic assessment failure. These rules reinforce the importance of timely patching, as delayed security updates remain one of the most common causes of successful cyber attacks.
Keeping Software Up to Date
For most organisations, the easiest and most effective way to stay protected is to enable automatic updates wherever possible. This helps ensure that security fixes are applied quickly and consistently without relying on manual intervention.
For some larger organisations, there is a concern that some software
updates may stop other software from working or cause some features to
break. Most IT teams in larger organisations aim to fully test each
update on a controlled sample of devices, before applying it company
wide.
- It is always a good idea to have backups of your data before updating.
- The National Cyber Security Centre has some useful guidance on installing software updates without breaking things.
Firewalls and Routers Must Be Updated
Cyber Essentials makes clear that the operating systems running on firewalls and routing devices must be treated in the same way as any other in-scope operating system. This means that firewalls and routers must:
- be supported by the vendor
- be kept up to date with security patches and vulnerability fixes
- receive all relevant critical or high-risk updates within 14 days where required
These devices are a vital part of your security boundary, so failing to keep them updated can leave your organisation exposed.
Unsupported or End-of-Life Software
Unsupported, legacy, or end-of-life software creates a serious security risk because the vendor no longer provides fixes when new vulnerabilities are discovered. Once software is no longer supported, it should not be relied on as a secure solution.
Cyber Essentials requires unsupported software to be removed and replaced with a supported alternative. If that is not currently possible, it must be taken out of certification scope by moving it into a well-defined, segregated, and separately managed subset that prevents all traffic to and from the internet.
What Cyber Essentials Expects
To meet the Security Update Management control, organisations should ensure that:
- all in-scope software and firmware is supported by the vendor
- critical and high-risk vulnerability fixes are applied within 14 days
- fixes are also applied within 14 days where no severity rating is provided
- firewalls, routers, operating systems, and applications are all included in the update process
- unsupported software is removed, replaced, or securely segregated out of scope
The Five Cyber Essentials Controls
