Are all operating systems on your devices supported by a vendor that produces regular security updates?
Section A6: Security Update Management · Cyber Essentials Montpellier
What this question is really asking
Confirm that all operating systems on all in-scope devices are supported by their vendor and still receiving security updates. Unsupported operating systems are an automatic fail under Cyber Essentials. Check every device listed in section A2 against its vendor's published end-of-life schedule — Windows, macOS, iOS, Android, and server OS versions all have defined support lifecycles.
What satisfies this requirement
Yes or NoIncludes firmware on firewalls and routers. Unsupported OS means no certification. Out-of-support examples: Windows 7/XP/Vista/Server 2003, macOS Mojave, iOS 12/13, Android 8, Ubuntu 17.10.
What to prepare before your assessor visit
This question catches organisations most off-guard at renewals. An OS that was in support last year may have reached end-of-life since. Create a calendar reminder for every device OS version's published end-of-life date and plan upgrades well in advance. A single device running an unsupported OS version is an automatic fail — and assessors will look at every device category you listed in A2, so a forgotten old server or thin client can end an otherwise clean assessment.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.