A6 CE Willow

Security Update Management

Keeping software up to date. Willow adds CVSSv3 scoring as an explicit threshold trigger, extends scope to 'vulnerability fixes', and adds A6.3.1 to list unlicensed/unsupported software.

16 questions
1 new in Willow
A6.1
Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes?
yesno
A6.2
Is all the software on your devices supported by a supplier that produces regular vulnerability fixes for any security problems?
yesno
A6.2.1
Please list your internet browser(s).
list
A6.2.2
Please list your malware protection software.
list
A6.2.3
Please list your email applications installed on end user devices and servers.
list
A6.2.4
Please list all office applications that are used to create organisational data.
list
A6.3
Are any of the in-scope software or cloud services unlicensed or unsupported?
yesno
A6.3.1
If yes to A6.3, please list the unsupported or unlicensed software or cloud services.
list New
A6.4
Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?
yesno
A6.4.1
Are all updates applied for operating systems by enabling auto updates?
yesno
A6.4.2
Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes of all operating systems and firmware on firewalls and routers are applied within 14 days of release?
text
A6.5
Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?
yesno
A6.5.1
Are all updates applied on your applications by enabling auto updates?
yesno
A6.5.2
Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release?
text
A6.6
Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates or vulnerability fixes for security problems?
yesno
A6.7
Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment?
yesnodescribe
← Previous section
A5
Secure Configuration
Next section →
A7
User Access Control

Does your organisation meet the Security Update Management requirements?

Check your real-world posture across all 5 Cyber Essentials control areas in 3 minutes. Free, no account needed.

Check my readiness → Explore the questions first