Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?
Section A6: Security Update Management · Cyber Essentials Willow
What this question is really asking
This is an auto-fail question. All high-risk or critical security updates for operating systems must be applied within 14 days of release — no exceptions. This is one of the most frequently failed requirements. Before your assessment, verify your patching process against Windows Update history, WSUS reports, or your MDM patching dashboard. A single unpatched critical OS vulnerability will fail your certification.
What satisfies this requirement
Yes or NoMandatory within 14 days. Includes: updates fixing 'critical' or 'high-risk' vulnerabilities; updates addressing CVSSv3 base score of 7 or above; updates with no stated severity level. Feature/optional updates excluded.
What to prepare before your assessor visit
This auto-fail question has ended more assessments than almost any other. Before you submit, run a Windows Update compliance report, pull a WSUS patch history, or generate an MDM patch compliance dashboard. If any device shows a critical OS update that is more than 14 days old at the time of assessment, it must be patched first. Do not assume compliance — verify it from a system-generated report, not from memory.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.