Skip to main content
UpdatesMedium priority

Establish a patch management process for your business

Create a documented process to ensure all business devices and software are patched within 14 days of a critical update being released.

Why this matters

The Cyber Essentials standard requires critical and high severity patches to be applied within 14 days. A documented process makes this repeatable and auditable.

How to do it

  1. List all software and operating systems used in your business
  2. Assign someone responsibility for monitoring vendor security bulletins
  3. Define a policy: critical patches applied within 14 days, others within 30
  4. Use Windows Update for Business or a patch management tool for scale
  5. Review the patch status monthly and document it

Cyber Essentials framework

This task falls under the Updatescontrol — one of five areas assessed in the UK's Cyber Essentials scheme. Completing it counts toward your Cyber Essentials alignment.

Track your full security score — free

Create a free account to check off tasks, see your Security Score, and build toward Cyber Essentials alignment.

Start your free security check