Cyber Essentials Update: Stronger Focus on "Vulnerability Fixes" in Security Update Management

Cyber Essentials version Willow has introduced a small but important change in the way updates are understood and assessed. This change reflects a sharper focus on securing systems and minimising risk from vulnerabilities.

What’s Changed?

In the Montpellier version, references to general “updates” have been replaced with the term “vulnerability fixes”. This shift ensures that organisations pay attention specifically to updates that address security flaws, rather than routine or optional software enhancements.

Why It Matters - Understanding Vulnerability Fixes

Not every software update is about fixing security issues—some just improve performance or add new features. But when updates fix known weaknesses that hackers could exploit, they’re essential to apply promptly.

Previously, Cyber Essentials focused on what were known as “patchable vulnerabilities”—security flaws that had a software update (or patch) available to fix them.

Now, the requirements have become stricter. From April 2025, under the new Willow specification, all vulnerabilities rated as high or critical risk must be resolved within 14 days of a fix being released—regardless of whether the fix is a patch, a configuration change, or another action recommended by the vendor.

These high and critical vulnerabilities are typically identified using the Common Vulnerability Scoring System (CVSS) version 3.1. Any vulnerability with a CVSS v3.1 base score of 7.0 or above is considered serious and must be addressed within the 14-day window.

This update to the Cyber Essentials scheme helps ensure organisations can react quickly to the most serious cyber threats—even when no patch has been issued yet. Staying on top of vendor guidance and acting quickly is now a key part of remaining compliant and protecting your organisation. This is why you need our world class vulnerability management programme.

What You Need to Do - Talk to Meta Defence Labs! :D

As part of the certification:

• Question A6.3 requires applicants to confirm whether any in-scope software or cloud services are unsupported.

• If the answer is yes, you must now list these items clearly in A6.3.1.

• You need to show how your organisation applies vulnerability fixes, especially if you're not using auto-updates.

Keeping Your Answers Compliant

To stay within the scheme’s requirements:

• Ensure all operating systems and applications are supported by the vendor.

• Remove or isolate any unsupported software or systems from the assessment scope.

• Document clear processes for identifying and applying security-related updates (vulnerability fixes).

• Regularly review your environment for software and devices that may become unsupported.

This update helps organisations stay better protected against cyber threats by ensuring the focus is on timely and effective remediation of security vulnerabilities.

If you would like to understand how to manage this requirement talk to us Meta Defence Labs Ltd and we can guide you.