Cyber Essentials
DashboardSign Out

Lesson 9.2 — Software inventory and update ownership: operating systems, applications, firmware and cloud services

This lesson helps the learner turn the Cyber Essentials security update requirements into a practical inventory and ownership process.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • build a practical software update inventory
  • identify update owners
  • distinguish internally managed
  • supplier-managed and vendor-managed updates
  • map update sources
  • record update responsibilities

Why This Matters

It explains how to identify software across operating systems, applications, firmware, mobile devices, browser extensions, cloud services and supplier-managed systems, then assign clear update ownership so required fixes are not missed.

The most common problems are:

  • treating the asset list as a software update inventory;
  • forgetting applications after operating systems are patched;
  • forgetting firmware;
  • forgetting browser extensions;

The Core Rule

Security Update Management depends on knowing what software exists and who is responsible for keeping it updated.

The inventory should cover operating systems, applications, firmware, mobile apps, browsers, plugins, servers, cloud workloads, SaaS components and supplier-managed systems.

What the CE Assessor Looks For

A strong position shows:

  • in-scope software categories are identified;
  • operating systems, applications, firmware and cloud components are included;
  • software owners are named;
  • update owners are named;
  • supplier responsibilities are clear;
  • automatic, managed and manual update methods are recorded;

Common Mistakes

  • treating the asset list as a software update inventory;
  • forgetting applications after operating systems are patched;
  • forgetting firmware;
  • forgetting browser extensions;
  • forgetting website plugins;
  • forgetting mobile apps;

Copy This

Keep this rule visible:

For every important software category, know who owns updates, how updates are applied, how success is checked and where evidence comes from.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] Why is a software inventory important for Security Update Management?
  • [ ] Why is a device inventory not enough on its own?
  • [ ] Give five software categories that should be considered.
  • [ ] Why do browsers deserve special attention?
  • [ ] Why is firmware included?

Your Action

Do this now — it takes 10–20 minutes.

Build your software version inventory: record the current version of browsers, email apps, office apps, operating systems, and malware protection on each device type. Add to Section SU.

Key Takeaway

For every important software category, know who owns updates, how updates are applied, how success is checked and where evidence comes from.

Your Workbook Activity

Complete: Software inventory and update ownership matrix

Next Lesson

In the next lesson: Applying updates within 14 days: patch workflow, failed updates, emergency fixes and evidence

Up next

Applying updates within 14 days

Operate a repeatable patch workflow that handles exceptions while meeting CE timelines.