Cyber Essentials
DashboardSign Out

Lesson 9.1 — Security update management: supported software, vulnerabilities and the 14-day rule

This lesson introduces the Cyber Essentials Security Update Management control.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • explain the purpose of security update management
  • identify in-scope software
  • distinguish supported and unsupported software
  • understand the Cyber Essentials 14-day update rule
  • identify updates that must be applied within 14 days
  • begin building an update management evidence record.

Why This Matters

It explains why security updates matter, what counts as software, what it means for software to be licensed and supported, how unsupported software should be handled, when the 14-day rule applies, and how organisations can start building a practical update management process across devices, applications, firmware, cloud services and supplier-managed systems.

The most common problems are:

  • thinking patching only means operating system updates;
  • forgetting applications and plugins;
  • forgetting firmware;
  • forgetting firewalls, routers and VPN devices;

The Core Rule

Security Update Management is about keeping software up to date so known vulnerabilities are fixed quickly.

All in-scope software should be licensed and supported.

What the CE Assessor Looks For

A strong position shows:

  • software and devices in scope are identified;
  • operating systems, applications and firmware are included;
  • software is licensed and supported;
  • unsupported software is removed, upgraded or isolated from the internet using a defined sub-set;
  • automatic updates are enabled where possible;
  • update responsibilities are clear;

Common Mistakes

  • thinking patching only means operating system updates;
  • forgetting applications and plugins;
  • forgetting firmware;
  • forgetting firewalls, routers and VPN devices;
  • forgetting mobile devices;
  • forgetting servers;

Copy This

Keep this rule visible:

Know what software you have, make sure it is supported, and apply high-risk security fixes within 14 days of release.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the main purpose of Security Update Management?
  • [ ] What does Cyber Essentials expect for all in-scope software?
  • [ ] What should happen to unsupported software?
  • [ ] When does the 14-day rule apply?
  • [ ] When does the 14-day clock start?

Your Action

Do this now — it takes 10–20 minutes.

Check when updates were last applied across your main device types. Is everything within 14 days? Record your findings in Section SU.

Key Takeaway

Know what software you have, make sure it is supported, and apply high-risk security fixes within 14 days of release.

Your Workbook Activity

Complete: Security update management scope and 14-day rule review record

Next Lesson

In the next lesson: Software inventory and update ownership: operating systems, applications, firmware and cloud services

Up next

Software inventory and update ownership

Create clear ownership for software inventory and patching across operating systems and applications.