Questionnaire Part 6 Secure Business Operations (Security Update Management)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025.
Security Update Management
A6.1 Supported Operating System
Are all operating systems on your devices supported by a vendor that produces regular security updates and vulnerability fixes?
If you have included firewall or router devices in your scope, the firmware of these devices is considered to be an operating system and needs to meet this requirement.
Older operating systems that are out of regular support could be any of the following examples: Windows 7/XP/Vista/ Server 2003, macOS Mojave, iOS 12, iOS 13, Android 8 and Ubuntu Linux 17.10. This is not an extensive list and you should always check with the vendor to confirm if an operating system is still supported.
It is important you keep track of your operating systems and understand when they have gone end of life (EOL). Most major vendors will have published EOL dates for their operating systems and firmware.
CE Requirement: You must make sure that all software in scope is kept up to date. All software on in-scope devices must be licensed and supported.
Vulnerability fixes include patches, updates, registry fixes, configuration changes, scripts or any other mechanism approved by the vendor to fix a known vulnerability.
Extended Security Update schemes
For any end-of-life operating system that has an extended security update program, you must maintain the required subscription.
If you are using Windows 10 beyond the 14th October 2025 you must be signed up to the Microsoft Extended Security Update program in order to remain compliant.
Further guidance:
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
When marking this question, we will be reviewing your answers from Section 2 (Scope). If you answer no, or if you answer yes (which is compliant) but have listed unsupported operating systems in Section 2, this will lead to an automatic fail in this question.
A6.2 Supported Software
Is all software on your devices supported by a supplier that produces regular fixes for any security problems?
All software used by an organisation must be supported by a supplier who provides regular security updates. Unsupported software must be removed from devices. This includes frameworks and extensions.
CE Requirement: You must make sure that all software in scope is kept up to date. All software on in-scope devices must be licensed and supported.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
When marking this question, we will be reviewing your answers from A6.2.1–A6.2.4. If you answer no, or if you answer yes (which is compliant) but have listed unsupported software, this will lead to a non-compliance against this question.
A6.2.1 Internet Browsers
Please list your internet browser/s.
The version is required.
Please list all internet browsers installed on your devices, so that the Assessor can understand your setup and verify that they are in support.
For example: Chrome Version 124, Safari Version 15.
CE Requirement: You must make sure that all software in scope is kept up to date. All software on in-scope devices must be licensed and supported.
Please list all browsers, including versions. You do not need to provide the minor version (e.g., Chrome 135.0.7049.128) — the major version (e.g., Chrome 135) is sufficient.
A6.2.2 Malware Protection
Please list your malware protection.
The version is required.
Please list all malware protection and versions you use so that the Assessor can understand your setup and verify that they are in support.
For example: Sophos Endpoint Protection V10, Microsoft Defender, Bitdefender Internet Security 2023.
Please list all malware protection, including versions. You do not need to provide the minor version — the major version is sufficient. You do not need to provide a version for Defender.
A6.2.3 Email Applications
Please list your email applications installed on end user devices and server.
The version is required.
Please list all email applications and versions you use so that the Assessor can understand your setup and verify that they are in support.
For example: MS Exchange 2016, Outlook 2019.
CE Requirement: You must make sure that all software in scope is kept up to date. All software on in-scope devices must be licensed and supported.
Please list all email applications. You do not need to provide the minor version — the major version is sufficient. You do not need to provide versions for MS 365.If you do not have any email applications but instead access emails via a web browser, please clarify this in your answer.
A6.2.4 Office Applications
Please list all office applications that are used to create organisational data.
The version is required.
Please list all office applications and versions you use so that the Assessor can understand your setup and verify that they are in support.
For example: MS 365, Libre Office, Google Workspace, Office 2016.
CE Requirement: You must make sure that all software in scope is kept up to date. All software on in-scope devices must be licensed and supported.
Please list all office applications. You do not need to provide the minor version — the major version is sufficient. You do not need to provide versions for MS 365.
A6.3 Software Licensing
Are any of the in-scope software or cloud services unlicensed or unsupported?
All software must be licensed. It is acceptable to use free and open-source software as long as you comply with any licensing requirements.
Please be aware that for some operating systems, firmware and applications, if annual licensing is not purchased, they will not be receiving regular security updates.
CE Requirement: All software on in-scope devices must be licensed and supported.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
'Yes' will attract a non-compliance and will also trigger A6.3.1.
A6.3.1 Unsupported Software & Services
If yes to A6.3, please list the unsupported or unlicensed software or cloud services.
You must list any unsupported or unlicensed software and services.
A6.4 Security Updates - Operating System
Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release?
You must install any such updates within 14 days in all circumstances. If you cannot achieve this requirement at all times, you will not achieve compliance to this question. You are not required to install feature updates or optional updates in order to meet this requirement, just high-risk or critical security updates.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
For example, at the time of writing, the supported versions of macOS are Ventura, Sonoma, and Sequoia, and the current version of Sonoma is 14.7.5.
- If an application stated a device was running Catalina, this would result in an automatic fail in A6.1, because the operating system is unsupported.
- If an application stated a device was running Sonoma with version 14.6, this would result in a non-compliance in A6.4 because, while Sonoma is supported, updates have not been applied within 14 days of release.
A6.4.1 Auto Updates - Operating System
Are all updates applied for operating systems by enabling auto updates?
Most devices have the option to enable auto updates. This must be enabled on any device where possible.
CE Requirement: All software on in-scope devices must have automatic updates enabled where possible.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A6.4.2 Manual Updates - Operating System
Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes of all operating systems and firmware on firewalls and routers are applied within 14 days of release?
It is not always possible to apply auto updates, this is often the case when you have critical systems or servers and you need to be in control of the updating process.
Please describe how any updates are applied when auto updates are not configured.
If you only use auto updates, please confirm this in the notes field for this question.
CE Requirement: All software on in-scope devices must be updated, including vulnerability fixes, within 14 days of release, where:
- The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high-risk’
- The update addresses vulnerabilities with a CVSSv3 base score of 7 or above
- There are no details of the level of vulnerabilities the update fixes provided by the vendor
Please either confirm that you only use auto updates, or describe the process you use to ensure all updates are applied within 14 days of release. For example:
"We apply auto updates for all devices except one which hosts business-critical systems. For this device, we note when an update is available and check for any reported issues with the update before applying it. Our IT team, overseen by our Head of IT, is responsible for ensuring this update is applied as soon as practically possible, and always within 14 days."
A6.5 Security Updates - Applications
Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?
You must install any such updates and vulnerability fixes within 14 days in all circumstances.
If you cannot achieve this requirement at all times, you will not achieve compliance to this question.
You are not required to install feature updates or optional updates in order to meet this requirement, just high-risk or critical security updates.
CE Requirement: All software on in-scope devices must be updated, including vulnerability fixes, within 14 days of release, where:
- The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high-risk’
- The update addresses vulnerabilities with a CVSSv3 base score of 7 or above
- There are no details of the level of vulnerabilities the update fixes provided by the vendor
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
When marking this question, we will be reviewing your answers from A6.2.1–A6.2.4. If you answer no, or if you answer yes (which is compliant) but have listed supported but unpatched software, this will lead to a non-compliance against this question.
A6.5.1 Auto-Updates - Applications
Are all updates applied for applications by enabling auto updates?
Most devices have the option to enable auto updates. Auto updates should be enabled where possible.
CE Requirement: All software on in-scope devices must have automatic updates enabled where possible.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A6.5.2 Manual Updates - Applications
Where auto updates are not being used, how do you ensure all high-risk or critical security updates and vulnerability fixes of all applications are applied within 14 days of release?
It is not always possible to apply auto updates, this is often the case when you have critical systems or applications and you need to be in control of the updating process.
Please describe how any updates and vulnerability fixes are applied when auto updates are not configured.
If you only use auto updates, please confirm this in the notes field for this question.
CE Requirement: All software on in-scope devices must be updated, including vulnerability fixes, within 14 days of release, where:
- The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high-risk’
- The update addresses vulnerabilities with a CVSSv3 base score of 7 or above
- There are no details of the level of vulnerabilities the update fixes provided by the vendor
Please either confirm that you only use auto updates, or describe the process you use to ensure all updates are applied within 14 days of release. For example:
"We apply auto updates for all devices except one which hosts business-critical systems. For this device, we note when an update is available and check for any reported issues with the update before applying it. Our IT team, overseen by our Head of IT, is responsible for ensuring this update is applied as soon as practically possible, and always within 14 days."
A6.6 Unsupported Software Removal
Have you removed any software installed on your devices that is no longer supported and no longer receives regular updates or vulnerability fixes for security problems?
You must remove older software from your devices when it is no longer supported by the manufacturer. Such software might include older versions of web browsers, operating systems, and all application software.
CE Requirement: All software on in-scope devices must be removed from devices when it becomes unsupported, or removed from scope by using a defined sub-set that prevents all traffic to/from the internet.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
If unsupported software is listed in A6.2.1–A6.2.4, this answer will attract a non-compliance.
A6.7 Unsupported Software Segregation
Where you have a business need to use unsupported software, have you moved the devices and software out of scope of this assessment? Please explain how you achieve this.
Software that is not removed from devices when it becomes un-supported will need to be placed onto its own sub-set with no internet access.
If the out-of-scope subset remains connected to the internet, you will not be able to achieve whole company certification and an excluding statement will be required in question A2.2.
A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.If no unsupported software is in use, please state this (e.g., "We do not use unsupported software.") as we cannot accept "N/A" as an answer.
Related Articles
Questionnaire Part 5 Secure Business Operations (Secure Configuration)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations (Secure ...Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Secure Business Operations Boundary ...Questionnaire Part 7 Access Control
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Access Control (User Access Control) ...Questionnaire Part 3 Insurance
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Insurance When a UK-domiciled ...Questionnaire Part 2 Scope of Assessment
This guide reflects the Willow question set, introduced in April 2025. Applications using the Montpellier question set will differ in some areas; these applications may still be completed before 28th October 2025. Scope of Assessment This section is ...