Are all updates applied on your applications by enabling auto updates?
Section A6: Security Update Management · Cyber Essentials Willow
What this question is really asking
Confirm whether automatic updates are enabled for applications. For managed devices, this should be enforced centrally — browser updates via Chrome Enterprise Policy or Group Policy, Office updates via Microsoft Update, and so on. Per-device user configuration is not a reliable control for a formal assessment.
What satisfies this requirement
Yes or NoAuto updates should be enabled where possible.
What to prepare before your assessor visit
Verify that auto-updates are enabled at the application level, not just assumed. Microsoft Office has its own update channel settings entirely separate from Windows Update. Confirm the update channel is set to 'Current Channel' or equivalent and that no deferral policy is creating a delay beyond 14 days for critical updates. Show the actual configuration, not just the intent.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.