Cyber Essentials
DashboardSign Out

Lesson 7.2 — Approved and permitted software

This lesson explains what it means to control which software is permitted to run on in-scope devices — why this matters for Cyber Essentials, how approved software lists work in practice, and what the organisation needs to know about its software estate before completing the control sections.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • describe what an approved software list is
  • explain why controlling permitted software is relevant to Cyber Essentials
  • build a software inventory that supports the secure configuration
  • malware protection and security update management answers.

Why This Matters

The Core Rule

Knowing what software is installed on your devices is a prerequisite for three Cyber Essentials controls: removing unnecessary software (secure configuration), protecting against malware through allow-listing (malware protection), and keeping software up to date (security update management).

A software inventory captures all operating systems, applications, browsers and firmware across in-scope devices. The key outputs are: identifying unnecessary software to remove, identifying unsupported software to replace or remove, and confirming that all remaining software is covered by an update process.

Why software control matters for Cyber Essentials

Software installed on a device is a potential attack surface. Every application is code that can contain vulnerabilities. Every unnecessary application that is running is a vulnerability that did not need to exist.

Cyber Essentials addresses this from two directions:

What a software inventory should include

For Cyber Essentials purposes, a software inventory should capture:

  • all operating systems installed on in-scope devices;
  • all business applications installed on in-scope devices;
  • all browsers installed on in-scope devices;
  • relevant plugins and extensions in use in browsers;
  • firmware versions on network devices and other hardware;
  • any other software that receives security updates — including antivirus/anti-malware tools, PDF readers, office suites, communication tools and remote access tools.

Supported vs unsupported software

One of the most important outputs of a software inventory is identifying any software that is no longer supported.

Software that is no longer supported by the vendor no longer receives security updates. Known vulnerabilities in that software will never be fixed. Leaving unsupported software running on in-scope devices creates a permanent gap in the security update management control.

Copy This

Work through the workbook activity for this lesson. Each question maps directly to the CE questionnaire.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why does Cyber Essentials require organisations to remove unnecessary software from devices?
  • [ ] What happens to software that is no longer supported by its vendor?
  • [ ] What is application allow-listing?
  • [ ] Which of the following is a common source of unnecessary software on work devices?
  • [ ] What should an organisation do if it discovers a business-critical application that is no longer supported by its vendor?

Your Action

Do this now — it takes 10–20 minutes.

Define your approved software list. What software is officially permitted on company devices? Document it and record where the list is kept.

Key Takeaway

The key outputs are: identifying unnecessary software to remove, identifying unsupported software to replace or remove, and confirming that all remaining software is covered by an update process.

Your Workbook Activity

Complete: Software inventory and approved software record

Next Lesson

In the next lesson: Mobile devices, app stores and untrusted software

Up next

Mobile devices, app stores and untrusted software

Control mobile software sources and app installation risks across phones and tablets.