Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release?
Section A6: Security Update Management · Cyber Essentials Danzell
What this question is really asking
If auto-updates are not in use for some applications, describe your manual patching process. The same requirements apply as A6.4.2 — a documented, scheduled process with evidence of execution. For server-side applications, manual patching processes are common and acceptable provided they consistently run within the 14-day window.
What satisfies this requirement
A written response is requiredDescribe the manual update process for applications.
What to prepare before your assessor visit
The same evidence standards apply as A6.4.2. For server applications, many organisations have monthly or quarterly maintenance windows — if your window can fall more than 14 days after a critical patch release, you need an emergency patching procedure that closes the gap for critical vulnerabilities. A scheduled monthly window is not automatically compliant if the cadence misses the 14-day requirement.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.