Cyber Essentials
DashboardSign Out

Lesson 9.3 — Applying updates within 14 days: patch workflow, failed updates, emergency fixes and evidence

This lesson explains how to operate the Cyber Essentials 14-day update requirement in practice.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • run a practical update workflow
  • decide when the 14-day rule applies
  • calculate the deadline from vendor release date
  • triage high and critical updates
  • deploy updates within the required timeframe
  • manage failed updates

Why This Matters

It turns the software inventory and ownership matrix into a working patch workflow covering update monitoring, severity triage, testing, deployment, failed updates, emergency fixes, supplier updates, rollback, exceptions and evidence.

The Core Rule

The 14-day rule is not just a policy statement.

It needs a working process.

What the CE Assessor Looks For

A strong position shows:

  • update sources are monitored;
  • high/critical updates are identified quickly;
  • vendor release date is recorded;
  • 14-day deadline is calculated correctly;
  • ownership is assigned;
  • testing is proportionate;

Copy This

Keep this rule visible:

For every high-risk security fix, know the release date, deadline, owner, deployment status, completion evidence and any unresolved exceptions.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] When does the 14-day clock start?
  • [ ] What are the three main triggers for the 14-day rule?
  • [ ] Why is a monthly patch review sometimes not enough?
  • [ ] What are the seven stages of the practical workflow?
  • [ ] Why is verification important?

Your Action

Do this now — it takes 10–20 minutes.

Document your patch process: how do updates get applied, who is responsible, and how is it verified? Record the process in Section SU.

Key Takeaway

For every high-risk security fix, know the release date, deadline, owner, deployment status, completion evidence and any unresolved exceptions.

Your Workbook Activity

Complete: 14-day security update workflow and evidence record

Next Lesson

In the next lesson: Unsupported software: end-of-life systems, isolation, removal plans and evidence

Up next

Unsupported software

Manage unsupported software risk through isolation, replacement plans, and transparent declarations.