Cyber Essentials
DashboardSign Out

Lesson 9.5 — Final security update management review: patch evidence, update failures, unsupported software and common failures

This lesson closes the Security Update Management module by helping the learner complete a final readiness review across software inventory, update ownership, the 14-day rule, unsupported software, failed updates, supplier-managed systems, cloud services, firmware, mobile devices and evidence.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • complete a final Security Update Management readiness review
  • confirm that in-scope software is licensed and supported
  • verify that automatic updates are enabled where possible
  • check that required high/critical updates are applied within 14 days of vendor release
  • review unsupported software treatment
  • identify update failures and exceptions

Why This Matters

It is designed to help learners decide whether their Security Update Management evidence is ready for Cyber Essentials submission.

The Core Rule

Security Update Management is ready when the organisation can show that in-scope software is known, supported, updated and evidenced.

Unsupported software must be removed, upgraded, replaced or isolated from all internet traffic using a defined sub-set.

Copy This

Keep this rule visible:

Do not submit the Security Update Management section until software scope, support status, 14-day update evidence, unsupported software treatment, suppliers, failures and exceptions have all been checked.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the final Security Update Management question?
  • [ ] Why is Windows Update alone not enough?
  • [ ] What must happen to unsupported software?
  • [ ] Where does the 14-day deadline start?
  • [ ] Which updates must be applied within 14 days?

Your Action

Do this now — it takes 10–20 minutes.

Review your security updates evidence. Do you have version numbers recorded, a patch process documented, and unsupported software addressed? Note any gaps.

Key Takeaway

Do not submit the Security Update Management section until software scope, support status, 14-day update evidence, unsupported software treatment, suppliers, failures and exceptions have all been checked.

Your Workbook Activity

Complete: Final Security Update Management readiness review record

Next Lesson

In the next lesson: Final scope review: organisation, devices, services, cloud, suppliers and evidence boundaries

Up next

Interviews

Explore interviews with industry experts and thought leaders.