Raise a bug

5. Security Update Management

The goal of this control is to ensure that devices remain up-to-date to mitigate the latest threats.

This control expects organisations to ensure all software on all devices are:

  • Licensed and supported.

  • Removed from devices when they become unsupported or removed from scope.

  • Enabled automatic updates where possible.

  • Updated within 14 days of a patch release in cases where:

    • The update fixes vulnerabilities considered 'critical' or 'high risk'.

    • The update addresses vulnerabilities with a CVSS v3 score of 7 or above.

    • There are no details of the level of vulnerabilities the update fixes provided by the vendor.

Previous4. Malware ProtectionNextFurther Guidance

Last updated