Is all the software on your devices supported by a supplier that produces regular fixes for any security problems?
Section A6: Security Update Management · Cyber Essentials Montpellier
What this question is really asking
Confirm that all software on in-scope devices is supported by its vendor. This includes locally installed applications and browser plugins or extensions. Software that is no longer receiving security patches must be removed or substituted. Maintain a software inventory and track end-of-life dates to stay ahead of this.
What satisfies this requirement
Yes or NoIncludes frameworks and plugins such as Java, Adobe Reader, .NET. Unsupported software must be removed.
What to prepare before your assessor visit
Software end-of-life tracking requires a complete and current software inventory. Tools like Lansweeper or a well-maintained SCCM are expected for anything above a small organisation. For smaller organisations, a manually maintained spreadsheet with published end-of-life dates is acceptable — but it must exist, must be up to date, and must cover every application category you've listed in A6.2.1 through A6.2.4.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.