Are any of the in-scope software or cloud services unlicensed or unsupported?
Section A6: Security Update Management · Cyber Essentials Willow
What this question is really asking
Confirm whether any in-scope software or cloud services are unlicensed or unsupported. The correct answer should be no — using unlicensed software is both a compliance and legal risk. If yes is unavoidable (legacy line-of-business software), this must be addressed in A6.7 with documented isolation measures.
What satisfies this requirement
Yes or NoAll software must be licensed. Free/open source acceptable if licensing requirements met.
What to prepare before your assessor visit
Assessors know that most organisations have at least one piece of legacy software on a machine somewhere. Answering no when there is actually an unlicensed or unsupported application in use will be exposed when A6.2 answers are cross-checked against support status. Be honest here and address any gaps in A6.7 — that is exactly what A6.7 is designed for. Transparency is far better than a finding.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.