Are all high-risk or critical security updates for operating systems and router and firewall firmware installed within 14 days of release?
Section A6: Security Update Management · Cyber Essentials Montpellier
What this question is really asking
This is an auto-fail question. All high-risk or critical security updates for operating systems must be applied within 14 days of release — no exceptions. This is one of the most frequently failed requirements. Before your assessment, verify your patching process against Windows Update history, WSUS reports, or your MDM patching dashboard. A single unpatched critical OS vulnerability will fail your certification.
What satisfies this requirement
Yes or NoMandatory: all high/critical updates within 14 days at all times. Includes firewall/router firmware. Feature and optional updates are not required.
What to prepare before your assessor visit
This auto-fail question has ended more assessments than almost any other. Before you submit, run a Windows Update compliance report, pull a WSUS patch history, or generate an MDM patch compliance dashboard. If any device shows a critical OS update that is more than 14 days old at the time of assessment, it must be patched first. Do not assume compliance — verify it from a system-generated report, not from memory.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.