If yes to A6.3, please list the unsupported or unlicensed software or cloud services.
Section A6: Security Update Management · Cyber Essentials Danzell
What this question is really asking
If you answered yes to A6.3, list the specific software or cloud services that are unlicensed or unsupported. Every item listed must either have a documented remediation plan or be operating under an approved isolation arrangement as described in A6.7.
What satisfies this requirement
A list is requiredList all unlicensed or unsupported software and cloud services.
What to prepare before your assessor visit
Every item on this list needs either a credible remediation plan with a realistic date, or a documented isolation arrangement described in A6.7. 'We're planning to upgrade eventually' will not satisfy an assessor — show a specific plan with a target date. If the software genuinely cannot be replaced, the isolation must be technically robust and demonstrable, not simply described.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.