Cyber Essentials · 1 July 2026
Cyber Essentials patch management explained
Security update management — often called patch management — is the fifth Cyber Essentials control, and it is one of the most important. Attackers routinely scan the internet for systems running software with known, unpatched flaws. Keeping your software supported and up to date closes those gaps. This guide explains what the control requires and how to meet it without it becoming a chore. For the wider context, see our overview of the five controls.
What the control requires
To meet security update management, you need to show that the software across your scope is both supported and kept current. The core expectations are:
- All software is supported by its vendor and still receiving security updates. Unsupported operating systems and applications must be removed, replaced or taken out of scope.
- Security updates are applied promptly. The accepted benchmark is that updates fixing critical or high-risk vulnerabilities are installed within 14 days of release.
- Automatic updates are enabled where available, to make prompt patching the default rather than a manual task.
- The whole estate is covered, including operating systems, applications, mobile devices, and network equipment such as routers and firewalls.
The 14-day rule in practice
The 14-day window applies to updates the vendor marks as critical or high risk — the ones attackers are most likely to exploit. It is a maximum, not a target: sooner is better. Where a vendor does not label severity, treat security updates as high priority and apply them quickly.
Automatic updates handle most of this on modern operating systems, but they are not foolproof. Devices that are rarely switched on, updates deferred by users, and applications that update separately from the operating system all create gaps that a quick manual check will catch.
Don’t forget these areas
Patch management fails most often in the places that are easy to overlook:
| Area | What to check |
|---|---|
| Mobile devices | App and operating-system updates on work phones and tablets |
| Third-party applications | Browsers, PDF readers and other apps that update on their own schedule |
| Firmware | Routers, firewalls and network devices with their own updates |
| Servers | Update schedules that may be delayed for stability |
| Remote devices | Home-worker laptops that connect infrequently |
Handling unsupported software
Software reaches end of life when the vendor stops issuing security updates. From that point it can no longer be patched, so it fails the control regardless of anything else. Ahead of applying — and well before renewal, since certification lasts 12 months — check the support lifecycle of every operating system and application in scope. Where something is out of support, your options are to upgrade to a supported version, replace it, or remove it from scope behind a clean technical boundary.
Building a simple patch routine
You do not need complex tooling to stay compliant. A workable routine looks like this:
- Enable automatic updates on operating systems, browsers and key applications.
- Keep an inventory of devices and software so nothing is forgotten.
- Check monthly that updates are actually installing, especially on mobile and infrequently used devices.
- Track vendor support dates so you replace software before it goes end of life.
- Record what you do, giving you evidence for your self-assessment.
Slow or missing updates are one of the common reasons Cyber Essentials applications fail, so a light but consistent routine is well worth it.
Why prompt patching matters so much
It is worth understanding why the scheme places such weight on this control. When a vendor releases a security update, the details of the flaw it fixes often become public at the same time. Attackers move quickly to build tools that exploit the flaw and then scan the internet for systems that have not yet patched. The window between an update being released and being widely exploited can be very short — which is why the 14-day benchmark exists for critical and high-risk fixes. Prompt patching is not box-ticking; it directly removes the openings attackers are actively hunting for.
Balancing stability and speed
Some organisations delay updates for fear of disruption, particularly on servers or specialist systems. That caution is understandable, but it should not become an excuse for leaving critical vulnerabilities open. A sensible approach is to apply routine updates automatically, test where a system is genuinely business-critical, and still meet the 14-day window for high-risk fixes. If a supplier’s software cannot be patched in time, that is a conversation to have with the supplier, because unpatched or unsupported software will hold back your certification.
How it fits with the other controls
Patch management works best on top of good secure configuration: a hardened, supported, up-to-date device is far harder to compromise. If you progress to Cyber Essentials Plus, the independent technical audit includes vulnerability scans that will flag missing patches directly, so keeping current is essential before that assessment. The same discipline underpins broader frameworks such as IASME Cyber Assurance and ISO 27001. Any unfamiliar terms are defined in our glossary.
How we can help
We support organisations through Cyber Essentials with a clear, transparent delivery process, including practical help checking that your software is supported, updates are applied within the expected window, and no devices slip through the net. If you would like support meeting the security update management control, see our Cyber Essentials service or get in touch.
Need help in practice? See our Cyber Essentials service.