Cyber Essentials Patch Management Explained

Cyber Essentials Patch Management Explained

No matter which phones, tablets, laptops, or computers your organisation is using, it’s important they are kept up to date at all times. This is true for both operating systems and installed apps or software. Happily, doing so is quick, easy, and free.


Manufacturers and developers release regular updates that not only add new features but also fix any security vulnerabilities that have been discovered.

Applying these updates (a process known as patching) is one of the most important things you can do to improve security. Operating systems, software, devices, and apps should all be set to ‘automatically update’ wherever this is an option. This way, you will be protected as soon as the update is released.

However, all IT has a limited lifespan. When new updates cease to appear for your hardware or software, you should consider a modern replacement.

Patch Management—What Cyber Essentials Requires

Patch management

Cyber Essentials Certification requires that all software is kept up to date.

This applies to: Desktop computers, laptop computers, tablets, mobile phones, firewalls, routers, and web, email, and application servers


Ensure that devices and software are not vulnerable to known security issues for which fixes are available.


Any device that runs software can contain security flaws, known as ‘vulnerabilities’.

Vulnerabilities are regularly discovered in all sorts of software. Once discovered, malicious individuals or groups move quickly to misuse (or ‘exploit’) vulnerabilities to attack computers and networks with these weaknesses.

Product vendors provide fixes for vulnerabilities identified in products that they still support, in the form of software updates known as 'patches'. Patches may be made available to customers immediately or on a regular release schedule (perhaps monthly).


Product vendors do not generally release patches for products they no longer support, not even to fix vulnerabilities.

Requirements under this technical control theme

The applicant must keep all its software up to date. Software must be:

  • Licensed and supported
  • Removed from devices when no longer supported
  • Patched within 14 days of an update being released, where the patch fixes a vulnerability with a severity the product vendor describes as 'critical' or 'high risk'.*

Some vendors release patches for multiple issues with differing severity levels as a single update. If such an update covers any 'critical' or 'high risk' issues, then it must be installed within 14 days.


*If the vendor uses different terms to describe the severity of vulnerabilities, see the precise definition in the Common Vulnerability Scoring System (CVSS).