Patch Management: How to Stay Compliant with Cyber Essentials

Patch management is one of those IT disciplines that quietly underpins everything. When it works well, nobody notices. When it fails, the consequences can be catastrophic — from ransomware outbreaks that paralyse NHS trusts to data breaches that shatter consumer trust in household-name retailers. For UK organisations pursuing or maintaining Cyber Essentials certification, patch management is not merely a best practice; it is a mandatory control that assessors will scrutinise closely.

In this comprehensive guide, we explore what patch management really means in the context of Cyber Essentials and Cyber Essentials Plus, why it matters so much for UK businesses, and how to build a patching strategy that keeps you compliant year after year.

Why Patch Management Is a Cyber Essentials Cornerstone

The Cyber Essentials scheme, backed by the UK's National Cyber Security Centre (NCSC), identifies five technical controls that together mitigate the vast majority of common cyber attacks. Patch management — formally categorised under security update management — sits at the heart of the framework because unpatched software is one of the most reliably exploited attack vectors in the wild.

According to the NCSC's own threat reporting, the majority of successful cyber attacks against UK organisations exploit known vulnerabilities for which patches already exist. In other words, the fix was available; the organisation simply had not applied it. That gap between a patch being released and an organisation deploying it is where attackers thrive.

The 14-day rule is non-negotiable. It applies to operating systems, applications, firmware, and any other software component within the scope of your certification. For Cyber Essentials Plus, assessors will actively verify that this requirement has been met by examining real devices and running vulnerability scans.

Understanding the Patching Landscape in 2025

Patch management has grown significantly more complex over the past decade. The days when IT teams only had to worry about Windows updates and a handful of desktop applications are long gone. Today, a typical UK small or medium-sized enterprise might be running dozens of different software products across multiple platforms, each with its own update cadence and delivery mechanism.

The sheer volume of vulnerabilities disclosed each year means that organisations cannot afford a reactive, ad-hoc approach to patching. Without a structured process, critical patches will inevitably slip through the cracks — and it only takes one missed patch to provide an attacker with the foothold they need.

What Cyber Essentials Actually Requires

Let us break down the specific patching requirements that your organisation must satisfy to achieve and maintain Cyber Essentials certification.

1. All Software Must Be Licensed and Supported

If a software product has reached its end of life and the vendor no longer issues security patches, it cannot be used within the scope of your Cyber Essentials assessment. This catches many organisations off guard, particularly those still running legacy line-of-business applications or older operating systems.

Windows 10, for example, reaches end of support in October 2025. Any organisation still running it after that date will need to either upgrade to Windows 11, purchase Extended Security Updates from Microsoft, or remove those machines from scope — none of which are trivial undertakings for a busy IT department.

2. Automatic Updates Where Available

The Cyber Essentials scheme strongly favours automatic updates. Where a vendor provides an automatic update mechanism (as Microsoft, Apple, Google, and most major software vendors do), it should be enabled. Manual patching processes are acceptable, but they place a heavier burden on the organisation to demonstrate that patches are being applied consistently and within the 14-day window.

3. Critical and High-Risk Patches Within 14 Days

This is the headline requirement. Any patch that addresses a vulnerability rated as critical or high — whether by the vendor's own severity rating or by the Common Vulnerability Scoring System (CVSS) — must be deployed within 14 calendar days of release. Not 14 business days. Calendar days.

4. Removal of Unsupported Software

Software that is no longer receiving security updates must be removed from all devices within scope. This includes not just operating systems but also web browsers, browser plugins, office suites, PDF readers, and any other application that processes data from the internet or untrusted sources.

Building a Compliant Patching Strategy

Meeting these requirements consistently requires more than good intentions. You need a documented, repeatable process that accounts for the realities of your IT environment. Here is a framework that we recommend to our clients.

Step 1: Maintain a Complete Software Inventory

You cannot patch what you do not know about. Start by building and maintaining a comprehensive inventory of all software running across your estate. This should include operating systems, applications, firmware on network devices, browser extensions, and any cloud-based tools that require local agents or plugins.

Tools like Microsoft Intune, ManageEngine, or even a well-maintained spreadsheet can serve this purpose, depending on the size of your organisation. The key is that the inventory is accurate, current, and regularly reviewed.

Step 2: Classify and Prioritise

Not all patches carry the same urgency. While Cyber Essentials mandates a 14-day window for critical and high-risk updates, you should have a broader classification scheme that helps your team prioritise their workload.

By setting internal targets that are more aggressive than the Cyber Essentials minimum, you build in a safety margin. If your target for critical patches is 48 hours, you have ample room to stay within the 14-day compliance window even if something goes wrong during deployment.

Step 3: Automate Where Possible

Automation is your greatest ally in patch management. Modern endpoint management platforms can handle the entire lifecycle — from detecting available patches to downloading, testing, deploying, and verifying installation — with minimal human intervention.

For Windows environments, Windows Server Update Services (WSUS) or Microsoft Intune provide robust automated patching capabilities. For mixed environments, third-party tools like ManageEngine Patch Manager Plus, Ivanti, or NinjaRMM can manage patches across Windows, macOS, Linux, and third-party applications from a single console.

The investment in automation pays dividends not just in compliance but in reduced IT workload, fewer emergency patching sessions, and a demonstrably stronger security posture.

Step 4: Test Before You Deploy

While speed is important, deploying a patch that breaks a critical business application can be just as disruptive as the vulnerability it was meant to fix. A staged deployment approach — where patches are first applied to a small test group before being rolled out to the wider estate — helps catch compatibility issues before they affect the entire organisation.

For smaller organisations that lack a formal test environment, applying patches to a handful of representative devices and monitoring them for 24 to 48 hours before wider deployment is a pragmatic compromise that balances speed with stability.

Step 5: Verify and Document

Deploying a patch is only half the battle. You need to verify that it was actually installed successfully and that the vulnerability has been remediated. Patch management tools typically provide compliance reports showing which devices have been patched and which have not.

Documentation is equally important, particularly for Cyber Essentials Plus assessments where assessors will want evidence of your patching practices. Keep records of when patches were released, when they were deployed, and the current patch status of all devices within scope.

Common Patching Challenges for UK Organisations

Even with a solid strategy in place, UK organisations face several recurring challenges when it comes to patch management. Understanding these challenges — and having a plan to address them — is essential for maintaining compliance.

Remote and Hybrid Workforces

The shift to remote and hybrid working, accelerated by the pandemic and now firmly established as the norm for many UK businesses, has complicated patch management considerably. Devices that spend most of their time outside the corporate network may not receive patches through traditional on-premises tools like WSUS.

Cloud-based endpoint management solutions address this challenge by reaching devices wherever they are connected to the internet. If your organisation has adopted a hybrid working model, migrating to a cloud-native patch management solution should be a priority.

Third-Party Applications

While operating system patches tend to be well-managed thanks to built-in update mechanisms, third-party applications often fall through the cracks. Applications like Adobe Acrobat, Zoom, Java, 7-Zip, and various browser plugins all require their own patches, and not all of them have reliable automatic update capabilities.

A dedicated third-party patching tool — or at minimum, a regular manual review of installed third-party software — is essential for catching these gaps.

Legacy Systems

Many UK organisations, particularly in sectors like manufacturing, healthcare, and professional services, rely on legacy applications that may require older operating systems or specific software versions to function. These legacy dependencies can create significant patching headaches.

Where legacy systems cannot be updated, they should ideally be isolated from the rest of the network and, where possible, excluded from the scope of your Cyber Essentials assessment. If they must remain in scope, compensating controls such as network segmentation, application whitelisting, and enhanced monitoring should be implemented.

Patching and Cyber Essentials Plus: The Assessment

For organisations pursuing Cyber Essentials Plus, patch management compliance is not just self-declared — it is actively verified. During the technical assessment, the certifying body will perform vulnerability scans on a representative sample of your devices and examine the results for unpatched vulnerabilities.

Assessment Activity	What Assessors Check	Common Failures
External vulnerability scan	Internet-facing systems patched to current levels	Unpatched web servers, VPN appliances
Internal device audit	OS and application patch levels on sampled devices	Third-party apps not updated
Browser and plugin check	Web browsers and extensions are current	Old Java, Flash remnants, outdated extensions
Firmware verification	Network device firmware is up to date	Router and firewall firmware neglected
End-of-life software check	No unsupported software in use	Windows 10 post-EOL, Office 2016

If the scan reveals critical or high-severity vulnerabilities that should have been patched, the assessment will fail. The organisation will then have a limited remediation window to apply the missing patches and be re-scanned before a full re-assessment is required.

Practical Tips for Staying Compliant

Based on our experience supporting hundreds of UK organisations through the Cyber Essentials process, here are some practical tips that can make the difference between a smooth assessment and a stressful scramble.

Set calendar reminders for Patch Tuesday. Microsoft releases its monthly security updates on the second Tuesday of each month. Mark this date in your calendar and make it a standing task to review and deploy patches within the following week.

Subscribe to vendor security bulletins. For any software within your scope, subscribe to the vendor's security notification mailing list. This ensures you are aware of patches as soon as they are released, rather than discovering them during a routine review.

Conduct monthly patch audits. Set aside time each month to review the patch status of all devices within scope. This proactive approach catches any devices that may have fallen behind and gives you time to remediate before your annual assessment.

Document everything. Keep a patching log that records when patches were released, when they were deployed, and any exceptions or delays. This documentation is invaluable during Cyber Essentials Plus assessments and demonstrates a mature, professional approach to security management.

Plan for end-of-life transitions. Maintain a forward-looking calendar of end-of-life dates for all software within your estate. This gives you months of lead time to plan migrations rather than scrambling when support suddenly ends.

The Business Case for Proactive Patching

Beyond compliance, there is a compelling business case for investing in robust patch management. Cyber attacks cost UK businesses billions of pounds annually, and the reputational damage from a breach can be even more devastating than the direct financial impact.

The UK Government's Cyber Security Breaches Survey consistently finds that organisations with Cyber Essentials certification experience fewer successful attacks and recover more quickly when incidents do occur. Patch management is a key contributor to this resilience.

Furthermore, many UK public sector contracts now require Cyber Essentials certification as a minimum. For businesses that depend on government work, maintaining patching compliance is not just a security measure — it is a commercial imperative.

Insurance providers are also increasingly factoring cybersecurity posture into their risk assessments. Organisations with demonstrably strong patch management practices may benefit from lower cyber insurance premiums and more favourable policy terms.

Tools and Resources for UK Organisations

The NCSC provides a wealth of free resources to help UK organisations improve their patch management practices. Their 10 Steps to Cyber Security guidance includes detailed recommendations for vulnerability management, and their weekly threat reports highlight actively exploited vulnerabilities that should be prioritised for patching.

For organisations that lack in-house IT expertise, working with a managed service provider (MSP) that specialises in Cyber Essentials compliance can be transformative. A good MSP will handle patch management as part of a broader managed security service, ensuring that your organisation remains compliant without placing additional burden on your team.

Looking Ahead: Patching in an Evolving Landscape

The patching landscape continues to evolve. The increasing adoption of cloud services, containerised applications, and software-as-a-service platforms is shifting some of the patching responsibility from end-user organisations to service providers. However, this does not eliminate the organisation's obligation to ensure that the services they use are properly maintained — it simply changes the nature of the oversight required.

The Cyber Essentials scheme itself is updated periodically to reflect changes in the threat landscape and technology ecosystem. Staying informed about these updates and adjusting your patching strategy accordingly is essential for long-term compliance.

Patch management may not be the most glamorous aspect of cybersecurity, but it is arguably the most important. By building a structured, automated, and well-documented patching process, your organisation can meet its Cyber Essentials obligations with confidence and significantly reduce its exposure to the most common cyber threats facing UK businesses today.