# 5. Security Update Management

The goal of this control is to ensure that devices remain up-to-date to mitigate the latest threats.

This control expects organisations to ensure all software on all devices are:

* Licensed and supported.
* Removed from devices when they become unsupported or removed from scope.
* Enabled automatic updates where possible.
* Updated within 14 days of a patch release in cases where:
  * The update fixes vulnerabilities considered 'critical' or 'high risk'.
  * The update addresses vulnerabilities with a CVSS v3 score of 7 or above.
  * There are no details of the level of vulnerabilities the update fixes provided by the vendor.