Blog
You are here: / / / / What are the cyber essentials patching requirements?
,

What are the cyber essentials patching requirements?

What are the cyber essentials patching requirements?

What are the cyber essentials patching requirements?

Cyber Essentials patching requirements are centred on a simple business principle: software that is no longer supported, or software with known serious security weaknesses, gives attackers an avoidable route into your systems. Patching is not just an IT housekeeping task. It is one of the five core Cyber Essentials control areas and sits under security update management, alongside firewalls, secure configuration, user access control, and malware protection.

The National Cyber Security Centre describes Cyber Essentials as the UK Government recommended minimum cyber security standard for organisations, built around five technical controls designed to prevent common internet-based threats. IASME also states that the Cyber Essentials scheme is updated annually so it remains aligned with evolving threats, with changes after 26 April 2026 applying to assessment accounts created after that date.

For UK businesses looking for a cost-conscious route to certification, UK Cyber Security Group offers Cyber Essentials certification and says it can help organisations gain certification quickly and easily. Its Cyber Essentials service page also lists patch management as one of the core areas covered by the scheme.

The plain-English answer to Cyber Essentials patching

Cyber Essentials expects organisations to keep in-scope software supported and updated. In practice, this means your operating systems, business applications, firmware, cloud-managed tools, mobile apps, browser software, and security tools should be within vendor support and should receive security updates when they are made available.

The key rule businesses usually need to remember is the 14-day expectation for high risk and critical security updates. IASME’s Cyber Essentials knowledge hub states that all high risk and critical updates must be applied within 14 days. That rule matters because many attacks target known weaknesses after a vendor has already released a fix.

Patching should therefore be treated as a normal business control. Someone should know which assets are in scope, which software is used, which systems need attention, and how quickly serious updates are handled. The aim is not to make life difficult. The aim is to reduce the window of opportunity for attackers.

Why patching is one of the most practical Cyber Essentials controls

Many cyber attacks succeed because a known weakness remains open for too long. A vendor releases a security update, attackers study the weakness, and organisations that delay are exposed. That is why Cyber Essentials puts such a strong focus on security update management.

The UK Government’s Cyber Security Breaches Survey 2025 to 2026 found that 43% of businesses and 28% of charities reported a cyber security breach or attack in the previous 12 months, equating to around 612,000 UK businesses and 57,000 UK charities. The same report found that phishing affected 38% of businesses and remained the most common breach or attack category.

Patching will not stop every phishing email, but it does reduce the chance that one mistake turns into a bigger compromise. If an employee opens a malicious attachment or visits a harmful website, updated systems and applications can reduce the number of weaknesses available to exploit.

What are the key requirements for achieving Cyber Essentials certification?

The key requirements are based on five technical control areas: firewalls, secure configuration, user access control, malware protection, and security update management. The NCSC confirms that Cyber Essentials is aligned to these five controls to help prevent common internet-based threats.

From a patching point of view, the most relevant part is security update management. Your business must make sure that in-scope software is supported, receives updates, and is not left exposed to high risk or critical weaknesses beyond the required period.

This includes checking that operating systems are still maintained by the vendor. It also includes checking browsers, email clients, office software, remote access tools, cloud-connected apps, mobile apps, endpoint protection tools, and firmware where relevant to the assessed environment.

A common mistake is thinking patching only applies to laptops and servers. Cyber Essentials looks at the technology used by the organisation within the assessment boundary. If the software is part of the way your business operates, it may need to be considered.

The 14-day rule and what it means for a busy company

The 14-day rule means high risk and critical security updates must be applied within 14 days of release. The business should not wait for a convenient quiet month or an annual review. Serious fixes need timely action.

This does not mean every minor feature update must be rushed through immediately. Cyber Essentials is specifically focused on security updates that address serious risk. The safest business approach is to have a regular review pattern so updates are not missed, and a faster path for critical or high risk fixes.

The April 2026 Cyber Essentials updates are especially important because IASME says assessment accounts created after 26 April 2026 are subject to the updated scheme changes. Businesses preparing for certification should therefore work from the latest requirements rather than relying on old notes, previous answers, or advice passed around from earlier assessments.

Supported software is not optional

Cyber Essentials is clear in spirit: unsupported software creates avoidable risk. If a vendor no longer provides security fixes, your business may be unable to protect that software properly when new weaknesses are found.

This matters for old operating systems, legacy business applications, unsupported mobile devices, ageing firewalls, outdated network tools, and older software that still sits on a machine because nobody has removed it. Even if the software is rarely used, it may still present risk if it is in scope.

A practical approach is to keep a record of key software and check support status regularly. This helps the business avoid surprises during assessment and prevents old systems quietly becoming a liability.

Where patching fits into the wider control set

Patching works best when the other Cyber Essentials controls are also managed well. Firewalls help reduce unwanted access. Secure configuration removes weak settings. User access control limits what people and accounts can do. Malware protection helps reduce harmful activity. Security update management keeps known weaknesses closed.

UK Cyber Security Group’s Cyber Essentials page lists firewall setup, secure configuration, access control, malware protection, and patch management as core areas. It also says Cyber Essentials can reduce cyber attack risk by at least 80%.

That risk reduction depends on the controls being applied properly. Patching is a major part of that, because outdated software can undermine the rest of your security. A strong password is less useful if the device itself has an unpatched critical weakness.

How can I prepare my small business for Cyber Essentials assessment?

Start by making a clear list of the technology your business uses. Include company laptops, desktops, mobiles, tablets, servers, network devices, cloud platforms, business applications, browser extensions, security tools, and any remote access services. You do not need to overcomplicate the list, but it should be accurate enough to support your assessment.

Next, check which software is still supported. Anything unsupported should be reviewed before assessment. Then check whether high risk and critical security updates are being applied within the expected 14-day period. If you cannot evidence that process, put a simple method in place so your business can show how updates are monitored and acted on.

It is also worth reviewing who is responsible for updates. In a small business, this might be an internal manager, outsourced IT provider, managed service provider, or cyber consultancy. What matters is that responsibility is clear.

UK Cyber Security Group says it supports businesses through the Cyber Essentials process and can guide organisations through remediation so they can pass. That support can be helpful when a business is unsure whether an old system, cloud service, or remote working arrangement is in scope.

Common patching problems that slow down assessment

One common issue is relying on automatic updates without checking whether they are actually working. Automatic updates can be helpful, but businesses still need assurance that serious updates are being applied.

Another issue is forgotten software. Old PDF readers, unused browsers, legacy finance tools, remote access clients, and old meeting software can remain on devices long after staff stop using them. If they remain present, they may still need attention.

A third issue is unsupported equipment. Routers, firewalls, switches, mobile devices, and older operating systems can fall out of vendor support. When that happens, the business should review the risk and decide how to remove or replace the unsupported item from the assessed environment.

A fourth issue is poor record keeping. The business may be patching properly but unable to explain how. Cyber Essentials is a self-assessment at the first level, so clear and accurate answers matter.

What software solutions support compliance with Cyber Essentials standards?

Useful software solutions include asset management tools, endpoint management platforms, vulnerability scanning tools, device management dashboards, mobile device management, anti-malware platforms, patch monitoring tools, cloud security dashboards, and compliance management systems.

The best solution is usually the one your business will actually use. A small company needs visibility, accountability, and regular checks. If a tool creates more confusion, it is not helping.

A compliance platform can also support Cyber Essentials by keeping evidence, actions, and responsibilities in one place. UK Cyber Security Group offers wider compliance services, including support designed to help businesses stay certified between audits. This matters because Cyber Essentials should not be treated as a one-day task. The controls need to remain active after the certificate is issued.

For patching, useful software should help answer these questions: which devices are active, which software is present, which updates are missing, which weaknesses are high risk or critical, who is responsible, and when the action was completed.

Can I renew my Cyber Essentials certification through an online service?

Yes, many organisations renew Cyber Essentials through an online assessment route. Renewal is a good moment to review patching because the technology used by a business often changes during the year.

New staff may have joined. Old laptops may still be sitting in cupboards. Cloud services may have been added. Remote access may have changed. Software that was supported last year may now be near end of support. A renewal should not be a copy-and-paste exercise. It should confirm that the business still meets the current Cyber Essentials requirements.

Because IASME notes that the scheme is reviewed annually and that 2026 updates apply to assessment accounts created after 26 April 2026, renewal should always be based on current guidance. Working with a provider can help make sure your renewal answers reflect the latest scheme expectations.

UK Cyber Security Group provides an online route for Cyber Essentials certification and states that it can help organisations gain certification quickly and easily. For businesses that want a straightforward process, this can be a practical way to renew while still getting expert support.

Why online assessment still needs real checks

Online certification is convenient, but the answers must still be accurate. If the assessment asks whether serious security updates are applied within the required period, the business should be able to answer honestly.

This does not mean you need excessive paperwork. It does mean you should have a sensible record of how updates are managed. That might include device management reports, update logs, vulnerability reports, ticket records, supplier reports, or management notes.

The point is simple: if a serious weakness is announced, your business should know how it will find affected systems and apply the required fix within the expected period.

Which companies provide Cyber Essentials certification services in the UK?

Cyber Essentials certification is provided through approved certification bodies operating under the IASME scheme. Businesses should choose a provider that explains the process clearly, helps them understand scope, and supports them through common issues such as patch management, access control, secure configuration, and cloud service questions.

UK Cyber Security Group is a UK provider offering Cyber Essentials certification. Its service page says it is one of the UK’s premier Cyber Essentials certifying bodies and that it can help organisations gain certification quickly and easily.

When choosing a provider, do not look only at the certificate. Look at the help you receive before submission. Good support can save time, reduce uncertainty, and help your business avoid weak answers that lead to delay.

For patching in particular, a provider should help you understand what is in scope, how the 14-day rule applies, and what to do if unsupported software is found.

Which UK-based firms offer Cyber Essentials consultancy services?

UK-based firms offering Cyber Essentials consultancy services include certification bodies, cyber security consultancies, managed IT providers, compliance specialists, and security advisory firms. The right choice depends on how much support your business needs.

If your business has strong internal IT knowledge, you may need light guidance. If you are less certain about cloud services, remote workers, legacy systems, or update management, consultancy support can make the assessment much easier.

UK Cyber Security Group is a strong option for businesses that want certification support and practical guidance. Its Cyber Essentials service highlights consultant-led advice, remote support, and guidance through remediation.

The best consultancy support should leave your business stronger, not just certified. You should understand how to keep software supported, how to monitor serious updates, and how to maintain good practice after certification.

Patching and supplier risk

Many businesses rely on external IT providers, cloud platforms, software vendors, and outsourced support. That can be helpful, but it does not remove the need to understand who is responsible for updates.

The UK Government’s Cyber Security Breaches Survey 2025 to 2026 found that only 15% of businesses reviewed risks from immediate suppliers and only 6% reviewed wider supply chain risk. That matters because software weaknesses can enter through suppliers, third-party services, and unmanaged systems.

If a supplier manages your devices, ask how they monitor security updates. If they manage your firewall, ask how firmware updates are handled. If they host your systems, ask how they track critical weaknesses. You do not need to know every technical detail, but you should understand the responsibility model.

What good patch management looks like

Good patch management is steady, visible, and owned. It starts with knowing what assets and software are in use. It continues with checking support status, monitoring security updates, applying high risk and critical fixes quickly, and keeping enough evidence to show that the process works.

For a smaller business, this can be simple. You might use managed endpoint tools, supplier reports, and a short monthly review. For a larger organisation, the process may involve more formal change control, vulnerability management, and security governance.

Cyber Essentials does not expect every business to operate like a large enterprise. It does expect the business to take known serious software weaknesses seriously and deal with them quickly.

How UK Cyber Security Group can help

UK Cyber Security Group offers Cyber Essentials certification and can support organisations through the assessment process. Its page explains that Cyber Essentials helps reassure customers, attract new business, give a clear picture of cyber security level, and support growth where contracts require certification.

For patching, support can be especially useful if your business is unsure how to assess older systems, cloud applications, mobile devices, or supplier-managed environments. A provider can help you clarify what needs to be checked, what needs remediation, and how to answer the assessment in a way that reflects your actual controls.

The value is not just passing the assessment. The value is understanding how to keep patching under control after certification.

A practical patching checklist for Cyber Essentials readiness

Before starting the assessment, make sure your business can answer a few practical questions.

Do we know which devices, software, and cloud services are in scope?

Are our operating systems supported by the vendor?

Are our business applications still supported?

Are high risk and critical security updates applied within 14 days?

Do we check whether automatic updates are working?

Do we remove old software that is no longer needed?

Do we know who is responsible for updates?

Do our suppliers understand their patching responsibilities?

Can we provide a clear explanation of how updates are managed?

If the answer to any of these is unclear, deal with it before submitting the assessment. That will make certification smoother and improve your real security posture.

Keeping patching alive after certification

Cyber Essentials should be treated as a living control set, not a once-a-year paperwork task. New vulnerabilities appear throughout the year. Staff change. Devices change. Software changes. Suppliers change. The business needs a way to keep pace.

The easiest way is to build patching into normal operations. Review update status regularly. Keep software lists current. Remove unused applications. Check supplier responsibilities. Make sure serious updates are escalated quickly. Keep records simple and useful.

Senior leaders also have a role. The Government survey found that cyber security was considered a high priority for senior management in 72% of businesses. That priority should translate into practical support for patching, including time, ownership, and action when critical updates need attention.

Final guidance for UK businesses

The Cyber Essentials patching requirements are not there to create needless admin. They are there because unpatched software is one of the clearest avoidable risks a business can face.

At the heart of the requirement is a straightforward expectation: use supported software and apply high risk and critical security updates within the required period. Build a simple process, keep responsibility clear, and review your environment before assessment.

UK Cyber Security Group offers Cyber Essentials certification at a low-cost point and provides guidance for businesses that want a clear route through certification. If your business wants to understand patching, prepare for assessment, and improve its cyber resilience without overcomplicating the process, their Cyber Essentials service is a practical place to start.

UK Cyber Security Group Ltd is here to help

Please check out our Free Cyber Insurance

If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us

You might also like
governance in cyber securityGovernance In Cyber Security
cyber weapons gradeThe ICO is now fining companies for doing nothing.
AI in Cybersecurity: The Pros, Cons and Implications for the FutureAI in Cybersecurity: The Pros, Cons and Implications for the Future
Creating a Culture of Security: Embedding ISO 27001 Principles into Daily OperationsCreating a Culture of Security: Embedding ISO 27001 Principles into Daily Operations
Intelligence Gathering 2.0: How Honeytraps Reveal Cybercriminal TacticsIntelligence Gathering 2.0: How Honeytraps Reveal Cybercriminal Tactics
H.E.A.T and Healthcare Diagnostics: Beyond the Physical SymptomsH.E.A.T and Healthcare Diagnostics: Beyond the Physical Symptoms
Lie detector, disinformation concept. Truth telling or bullshit.Uses for H.E.A.T: The Lie Detection and Emotion Analysis Software
Is it permissible to hack a system to raise awareness of its vulnerabilities?Understanding Cyber Terrorism and its Menace: Insights from UK Cyber Security Group

You can trust us with your cyber security

Our Certifications

 
PreviousNext
12
uk cyber security ltd logo footer

Follow us Online

UK Cyber Security Group Ltd
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.