> series: cyber_essentials_demystified —— part: 05/10 —— control: security_updates —— warning: auto_fail_active<span class="cursor-blink">_</span>_
Security update management has always been part of Cyber Essentials. What has changed under Danzell is the consequence of getting it wrong. Two new questions — A6.4 and A6.5 — are designated as automatic-failure questions. If you cannot demonstrate that all high-risk and critical security updates are applied within 14 days of release, you fail the assessment automatically. No compensating controls. No partial credit. No second chance within that assessment cycle.
This is arguably the most impactful change in the Danzell update, because it transforms patching from a best-practice recommendation into a hard, binary requirement. For organisations with disciplined patch management, this changes nothing. For organisations that rely on 'we update when we get around to it' — and there are far more of these than the industry admits — this is a wake-up call.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification| Question | Scope | Consequence |
|---|---|---|
| A6.4 | All high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware must be installed within 14 days of release. | Automatic failure if not met. No exceptions, no compensating controls. |
| A6.5 | All high-risk or critical security updates and vulnerability fixes for applications, including associated files and browser extensions, must be installed within 14 days of release. | Automatic failure if not met. This explicitly includes browser extensions — a detail many organisations overlook. |
The 14-day window begins from the date the vendor releases the update — not from the date your organisation becomes aware of it. This means you need a proactive process for identifying when updates are released, not a reactive process that waits for something to break. For most SMEs, enabling automatic updates is the simplest and most reliable way to meet this requirement.
Software that is no longer supported by its vendor — meaning the vendor no longer releases security updates for it — cannot meet the patching requirement by definition. If you cannot patch it, you cannot be compliant. Under Danzell, unsupported software must be removed from scope entirely.
Windows 10 reached end of support in October 2025. Any device still running Windows 10 without an Extended Security Update (ESU) agreement will cause an automatic failure. Similarly, older versions of Microsoft Office, outdated PHP or Java runtimes, and legacy applications running on unsupported frameworks all fall into this category. Audit your estate for end-of-life software before you begin your assessment.
IASME's audits have identified a practice where organisations apply updates only to the specific devices selected in the CE Plus random sample — rather than across their entire estate. The Danzell update addresses this directly with a revised sampling process.
Under the new CE Plus rules, if the initial random device sample fails due to missing updates, remediation is required. But the retest now covers both the original sample and a new random sample of different devices. This means you cannot fix just the devices the assessor checked — the second sample tests whether updates have been applied across the whole estate. A second failure results in revocation of the verified self-assessment certificate — meaning you lose your CE as well as failing CE Plus.
The 14-day patching requirement applies continuously — not just at assessment time. Under Danzell, the director declaration includes a commitment to maintain Cyber Essentials controls throughout the certification period. An organisation that patches everything before the assessment and then stops patching for the remaining eleven months is not compliant — and if a breach occurs during that period, the certification provides no protection.
For continuous patching visibility, SOC in a Box monitors your environment 24/7 and flags devices that are falling behind on updates — providing the ongoing assurance that point-in-time assessments cannot. Combined with our vulnerability scanning service, this creates a continuous compliance posture that satisfies both the letter and the spirit of the requirement.
Next week, we cover Control 4 — User Access Control. This is the second control with automatic-failure implications under Danzell, driven by the mandatory MFA requirement for all cloud services. We cover what counts as a cloud service, what counts as MFA, and how to audit your estate to ensure every service is compliant before you open your assessment account.
Our <a href="/vulnerability-scanning">vulnerability scanning service</a> identifies missing patches across your entire estate — giving you a clear picture of your compliance position before you begin your Cyber Essentials assessment. Combined with our <a href="/cyber-essentials/concierge">Concierge service</a>, we identify, remediate, and certify in a single engagement.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification