Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes?
Section A6: Security Update Management · Cyber Essentials Willow
What this question is really asking
Confirm that all operating systems on all in-scope devices are supported by their vendor and still receiving security updates. Unsupported operating systems are an automatic fail under Cyber Essentials. Check every device listed in section A2 against its vendor's published end-of-life schedule — Windows, macOS, iOS, Android, and server OS versions all have defined support lifecycles.
What satisfies this requirement
Yes or NoIncludes firmware on firewalls and routers. Windows 10 beyond 14 October 2025 requires Microsoft Extended Security Update subscription.
What to prepare before your assessor visit
This question catches organisations most off-guard at renewals. An OS that was in support last year may have reached end-of-life since. Create a calendar reminder for every device OS version's published end-of-life date and plan upgrades well in advance. A single device running an unsupported OS version is an automatic fail — and assessors will look at every device category you listed in A2, so a forgotten old server or thin client can end an otherwise clean assessment.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.