Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes of all operating systems and firmware on firewalls and routers are applied within 14 days of release?
Section A6: Security Update Management · Cyber Essentials Willow
What this question is really asking
If auto-updates are not in use, describe your manual patching process — who is responsible, how often it runs, and how you verify completion. Assessors look for a documented, regularly executed process with evidence: WSUS reports, patch management dashboard exports, or equivalent. An ad-hoc process without a defined schedule is not acceptable.
What satisfies this requirement
A written response is requiredDescribe the manual update process. If only auto updates are used, confirm in notes.
What to prepare before your assessor visit
If you are not using automatic updates, you need documentary evidence that your manual process runs within the 14-day window for critical updates. Assessors will ask for patch history reports. 'We manually check Windows Update on each PC' is not an acceptable process for anything above a very small organisation. The process must be documented, scheduled, and evidenced — not just described.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.