Questionnaire Part 6 Secure Business Operations (Security Update Management)
Secure Business Operations
(Security Update Management)
A6.1 Supported Operating System
Are all operating systems and firmware on your devices supported by a vendor that produces regular security updates?
Older operating systems that are out of regular support include Windows XP/Vista/ Server 2003, mac OS Mojave, iOS 12, iOS 13, Android 8 and Ubuntu Linux 17.10. This requirement includes the firmware on your firewalls and routers. It is important you keep track of your operating systems and understand when they have gone end of life (EOL). Most major vendors will have published EOL dates for their operating systems and firmware.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A6.2 Supported Software
Is all software on your devices supported by a supplier that produces regular fixes for any security problems?
All software used by an organisation must be supported by a supplier who provides regular security updates. Unsupported software must be removed from devices. This includes frameworks and plugins such as Java, Adobe Reader, and .NET.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
If it is relevant to your organisation (this is not the case for the majority of applicants), you can upload a CSV for this question, but please check the file thoroughly before upload. Any out-of-support software will cause delays to the assessment.
A6.2.1 Internet Browsers
Please list your internet browser/s.
Please list all internet browsers you use so that the assessor can understand your setup and verify that they are in support. For example: Chrome Version 89; Safari Version 14.
Please ensure you provide the version numbers.
A6.2.2 Malware Protection
Please list your malware protection.
Please list all malware protection and versions you use so that the assessor can understand your setup and verify that they are in support. For example: Sophos Endpoint Protection V10; Windows Defender; Bitdefender Internet Security 2020.Please ensure you provide the version numbers.
A6.2.3 Email Application
Please list your email applications installed on end user devices and servers.
Please list all email applications and versions you use so that the assessor can understand your setup and verify that they are in support. For example: MS Exchange 2016; Outlook 2019.
Please ensure you provide the version numbers.
A6.2.4 Office Applications
Please list all office applications that are used to create organisational data.
Please list all office applications and versions you use so that the assessor can understand your setup and verify that they are in support. For example: MS 365; LibreOffice; Google workspace; Office 2016.
Please ensure you provide the version numbers.
A6.3 Software Licensing
Is all software licensed in accordance with the publisher’s recommendations?
All software must be licensed. It is acceptable to use free and open source software as long as you comply with any licensing requirements. Please be aware that for some operating systems, firmware, and applications, if annual licensing is not purchased, they will not be receiving regular security updates.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
Pirated software is not compliant.
A6.4 Security Updates - Operating System
Are all high-risk or critical security updates for operating systems and firmware installed within 14 days of release?
You must install any such updates within 14 days in all circumstances. If you cannot achieve this requirement at all times, you will not achieve compliance to this question. You are not required to install feature updates or optional updates in order to meet this requirement, just high-risk or critical security updates.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
The security updates in question are those which have been defined as 'high' or critical' by the vendor, have a CVSS v3 score of 7 or higher, or where the vendor does not provide details of the level of vulnerabilities.
A6.4.1 Auto Updates - Operating System
Are all updates applied for operating systems by enabling auto updates?
Most devices have the option to enable auto updates. This must be enabled on any device where possible.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A6.4.2 Manual Updates - Operating System
Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all operating systems and firmware are applied within 14 days of release?
It is not always possible to apply auto updates. Please indicate how any updates are applied when auto updates are not configured.
Provide a concise description of your process for ensuring high-risk or critical security updates are installed within 14 days.
A6.5 Security Updates - Applications
Are all high-risk or critical security updates for applications (including any associated files and any plugins such as Java, Adobe Reader, and .NET) installed within 14 days of release?
You must install any such updates within 14 days in all circumstances. If you cannot achieve this requirement at all times, you will not achieve compliance to this question. You are not required to install feature updates or optional updates in order to meet this requirement, just high-risk or critical security updates.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
The security updates in question are those which have been defined as 'high' or critical' by the vendor, have a CVSS v3 score of 7 or higher, or where the vendor does not provide details of the level of vulnerabilities.
A6.5.1 Auto-Updates - Applications
Are all updates applied for applications by enabling auto updates?
Most devices have the option to enable auto updates. Auto updates should be enabled where possible.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
A6.5.2 Manual Updates - Applications
Where auto updates are not being used, how do you ensure all high-risk or critical security updates of all applications are applied within 14 days of release?
Please indicate how updates are applied when auto updates have not been configured.
Provide a concise description of your process for ensuring high-risk or critical security updates are installed within 14 days.
A6.6 Unsupported Software Removal
Have you removed any applications on your devices that are no longer supported and no longer receive regular fixes for security problems?
You must remove older software from your devices when it is no longer supported by the manufacturer. Such software might include older versions of web browsers, operating systems, frameworks such as Java and Flash, and all application software.
This question requires a yes or no answer. You do not need to add Applicant Notes to be compliant.
If you choose to add Applicant Notes, be aware that this question is not asking about the removal of unsupported or unneeded software on device setup, but about the ongoing review and removal of unsupported software throughout your organisation's use of the device.
A6.7 Unsupported Software Segregation
Where unsupported software is in use, have those devices been moved to a segregated sub-set and internet access removed, and how do you achieve this?
This question is for information only. From January 2023 this question will require that all unsupported applications have been moved to a segregated sub-set and internet access removed and will be marked for compliance.Software that is not removed from devices when it becomes unsupported will need to be placed onto its own sub-set and prevented from inbound and outbound internet access.
A sub-set is defined as a part of the organisation whose network is segregated from the rest of the organisation by a firewall or VLAN.
From January 2023, you will be required to confirm that devices using unsupported software have been moved to a segregated sub-set with no internet access and to provide a description of how this is achieved.
An example of a compliant answer is:
We have older versions of Adobe InDesign on three devices (supported by a business case). The three devices are not connected to the internet and are on a separate VLAN.
Related Articles
Questionnaire Part 5 Secure Business Operations (Secure Configuration)
Secure Business Operations (Secure Configuration) A5.1 Removed Unused Software Where you are able to do so, have you removed or disabled all the software that you do not use on your laptops, desktop computers, thin clients, servers, tablets, mobile ...Questionnaire Part 4 Secure Business Operations (Boundary Firewalls and Internet Gateways)
Secure Business Operations (Boundary Firewalls and Internet Gateways) This section is used to define what firewalls and gateways your company uses, if they are configured correctly, and if they are supported. You must answer all of the questions in ...Questionnaire Part 7 Access Control
Access Control (User Access Control) A7.1 User Account Creation Are users only provided with user accounts after a process has been followed to approve their creation? Describe the process. You must ensure that user accounts (such as logins to ...Questionnaire Part 2 Scope of Assessment
Scope of Assessment This section is used to define the scope of the assessment. You must answer all of the questions in this section. Any unanswered questions will delay the assessment. Please read all the help text, as it is important that you ...Questionnaire Part 3 Insurance
Insurance When a UK-domiciled organisation with a turnover under £20m achieves self-assessed certification covering their whole organisation to either the basic level of Cyber Essentials or the IASME Standard, they are entitled to Cyber Liability ...