How quickly must I apply patches?

Cyber Essentials requires high or critical patches to be applied within 14 days of release for in-scope systems. Always check the current scheme requirements.

What about software I can't patch?

Unsupported software must generally be removed or isolated. Document what you've done and your timeline.

Do I need a patch policy document?

Yes — a short written policy is part of typical Cyber Essentials evidence.

Evidence area

Cyber Essentials patch management evidence

Patching is one of the most common reasons SMEs fail Cyber Essentials. Evidence needs to show that high or critical patches are applied within 14 days and that unsupported software is removed.

Start free See features

Where patch evidence usually breaks

A patch report from a single day isn't enough. Assessors want to see that you have a patching process, you know what's installed, and that unsupported operating systems or browsers have been removed or have a documented replacement plan.

Examples of patch evidence

Patch / update report from your MDM or RMM tool
List of in-scope devices with operating system and version
Patch and update policy document
Evidence of unsupported software being removed or replaced
Review notes confirming the most recent patch cycle completed
Automatic update settings screenshot for end-user devices

How Evaud helps

Linked to assets

Connect patch reports to the laptops, servers and mobile devices in your asset register.

Reminders before items expire

Set review dates so patch evidence doesn't go stale before assessment.

Tasks for unsupported software

Track the work to remove or replace anything that's gone end-of-life.

Frequently asked questions

Start building your Cyber Essentials evidence today.

Free to try. No credit card required.

Start free Contact us