Security Update Management for Cyber Essentials
Cyber Essentials requires software to be supported and up to date, with high/critical vulnerabilities (CVSS ≥ 7) patched within 14 days. IsItPatched delivers exactly that from an SBOM — a software inventory, known and actively-exploited CVEs, which are high/critical, the minimum safe version, and end-of-life flags (unsupported software fails the scheme).
1046 actively-exploited CVEs across 613 tracked products right now
Built for UK organisations certifying
SMEs & first-timers
The free, practical way to evidence Security Update Management without a heavyweight tool.
Suppliers to government
Cyber Essentials is required for many UK public-sector contracts. Show your software is supported and promptly patched.
Assessors & IT teams
A clean software inventory, the high/critical vulnerabilities on the 14-day clock, and end-of-life flags.
Cyber Essentials → what IsItPatched gives you
Supported software
Scan a CycloneDX/SPDX SBOM and see which components are end-of-life — unsupported software is an automatic fail.
End-of-life calendar →The 14-day vulnerabilities
We flag the high & critical (CVSS ≥ 7) and actively-exploited CVEs — the ones Cyber Essentials puts on a 14-day patch clock.
See actively-exploited CVEs →The fix to apply
The minimum safe version for each component, so you know exactly what to update to.
Scan an SBOM →Evidence
Export a risk register and VEX as your Security Update Management record.
Open your dashboard →Export your evidence — today, free
- Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
- CycloneDX VEX document (exploitability + remediation per component)
- Software risk register (CSV / print-to-PDF) citing the exact versions you run
- A prioritised, known-exploited-first patch queue — your Security Update Management record
Sign in (free, no password) to sync your component stack and generate these from your dashboard.
Straight with you: Cyber Essentials has five controls — firewalls, secure configuration, user access control and malware protection alongside Security Update Management. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with the Security Update Management control specifically. It is not a certifying body, not a certification, and not legal advice. Disclaimer.
Cyber Essentials — frequently asked
What is Cyber Essentials?
Cyber Essentials is the UK government-backed certification scheme (run by the NCSC and delivered by IASME) built on five technical controls: firewalls, secure configuration, user access control, malware protection, and Security Update Management. The Security Update Management control requires that software is supported, licensed and kept up to date — and that high-risk or critical vulnerabilities (CVSS v3 base score 7 or above) are patched or mitigated within 14 days of a fix being released.
How does IsItPatched help with Cyber Essentials?
It supports the Security Update Management control: scan a CycloneDX/SPDX SBOM to inventory your software, identify known and actively-exploited (CISA KEV) vulnerabilities, see which are high/critical (the 14-day ones) and the minimum safe version to reach, and flag end-of-life software that is no longer supported (a Cyber Essentials failure). Export the evidence for your assessor.
Does IsItPatched make us Cyber Essentials certified?
No. Certification (self-assessed for Cyber Essentials, audited for Cyber Essentials Plus) covers all five controls — firewalls, configuration, access control and malware protection too. IsItPatched helps with the Security Update Management control specifically. It is informational, built on public data — not a certifying body and not legal advice.
Subject to more than one regime? See all our compliance editions →