Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates or vulnerability fixes for security problems?
Section A6: Security Update Management · Cyber Essentials Willow
What this question is really asking
Confirm that software which is no longer receiving security patches and is no longer required by the business has been removed from in-scope devices. Assessors look for an active housekeeping process — be prepared to describe how you identify end-of-life software and what your removal procedure looks like.
What satisfies this requirement
Yes or NoMust remove software when no longer supported by manufacturer.
What to prepare before your assessor visit
Assessors want to see a proactive housekeeping process, not just reactive removal when something obviously breaks. A software inventory with end-of-life dates and a scheduled quarterly review against it is the expected standard. 'We check occasionally' is not a process. The question is whether you have a defined, repeatable procedure — and whether you can show evidence it runs.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.