Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Java, Adobe Reader and .Net.) installed within 14 days of release?
Section A6: Security Update Management · Cyber Essentials Montpellier
What this question is really asking
This is an auto-fail question. All high-risk or critical security updates for applications must be applied within 14 days of release. This applies to all in-scope software including browsers, office suites, email clients, and any other application listed in A6.2. Browser updates are particularly important — they are frequently targeted and receive regular critical updates.
What satisfies this requirement
Yes or NoMandatory: all high/critical application updates within 14 days. Feature and optional updates excluded.
What to prepare before your assessor visit
Browser updates are the most common application patch failure. Chrome and Edge update automatically by default, but only when the browser is restarted — users who rarely restart their browsers can run outdated versions despite auto-update being nominally enabled. Consider enforcing browser restart timeouts through GPO or MDM, and check actual browser versions in your next software scan rather than assuming auto-update is working.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.