Where you have a business need to use unsupported software, have you moved the devices and software out of scope of the assessment?
Section A6: Security Update Management · Cyber Essentials Montpellier
What this question is really asking
If you have a genuine business need to continue running unsupported software, describe the isolation measures in place. Acceptable mitigations include network segmentation from internet-facing systems, application whitelisting, enhanced monitoring, and formal risk acceptance. Continuing to run unsupported software without any mitigation is not acceptable.
What satisfies this requirement
Yes or No — if Yes, a written description is also requiredUnsupported software must be placed on a sub-set with no internet access, segregated by firewall or VLAN. An excluding statement is required in A2.2.
What to prepare before your assessor visit
Isolation for unsupported software is one of the more nuanced areas of the standard. 'Network segmentation' needs to be technically specific — which device enforces the segment? What are the firewall rules between the isolated system and the rest of your network? Can the isolated system reach the internet, even indirectly? Assessors will want to see the actual configuration, not a description of intent. The isolated system must be demonstrably segregated from internet-accessible systems.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.