Patch management that meets the 14-day requirement.
Patch management is the fifth Cyber Essentials control. It requires all software and devices to be patched within 14 days of a security update being released. IP Four audits your patch status, applies outstanding updates, and sets up automated patching to keep you compliant.
100%
First-Time Pass Rate
14 Days
Patch Requirement Met
500+
UK Businesses Certified
5
Controls Covered End-to-End
Patch management capabilities for Cyber Essentials compliance.
Patch Status Assessment
Audit all in-scope devices and software to identify outstanding patches, end-of-life software, and systems not meeting the 14-day requirement.
Automated Patch Deployment
Configure automated patching for operating systems and applications using Windows Update, Intune, WSUS, or third-party patch management tools.
Third-Party Application Patching
Extend patch management beyond the operating system to cover browsers, productivity suites, and other third-party applications in scope.
End-of-Life Software Removal
Identify and remove or replace software that is no longer supported by the vendor and therefore cannot receive security patches.
Patch Compliance Reporting
Implement patch compliance reporting to provide ongoing visibility of patch status across all in-scope devices and applications.
Patch Evidence Documentation
Produce patch status reports, update history exports, and policy documentation as assessor-ready evidence for Cyber Essentials.
Our patch management process.
Patch Audit
Scan all in-scope devices and applications to identify outstanding patches, unsupported software, and systems failing the 14-day requirement.
Gap Report
Produce a prioritised report of patch gaps, end-of-life software, and systems requiring immediate remediation before assessment.
Immediate Remediation
Apply outstanding patches and updates across all in-scope devices to bring the environment into compliance before the assessment window.
Automated Patching Setup
Configure automated patching processes to ensure ongoing compliance with the 14-day requirement after certification.
Evidence Gathering
Capture patch compliance reports, Windows Update history, and policy configurations as assessor-ready evidence.
Certification Submission
Submit patch management evidence as part of the Cyber Essentials application and support the assessor through review.
Patch compliance delivered across the UK.
Challenge: A 40-person law firm had devices running Windows 10 with patches several months out of date and multiple applications including Adobe Reader and Chrome with known vulnerabilities.
Outcome: IP Four deployed patches across all devices, configured Windows Update for automatic installation, and set up a patch compliance dashboard. The firm passed Cyber Essentials within four weeks.
Challenge: A medical device supplier needed Cyber Essentials to maintain their NHS supply chain contract but had a mix of Windows 10 and Windows 11 devices with inconsistent update policies.
Outcome: IP Four standardised patch management via Intune, applied all outstanding updates, and produced a patch compliance report. The supplier achieved certification and retained their contract.
Challenge: A Welsh charity had several devices running end-of-life Windows 10 versions and no formal patch management process, creating a significant gap against the Cyber Essentials standard.
Outcome: IP Four upgraded devices to supported Windows versions, implemented automatic updates, and removed end-of-life applications. The charity achieved Cyber Essentials certification in five weeks.
Ready to meet the 14-day patch requirement and achieve certification?
We start with a free patch audit to identify exactly where you stand. From there, we apply outstanding patches, set up automated patching, and manage the process to certification.