Last Updated June 2026
Getting the preparation right for Cyber Essentials certification goes a long way to increasing the chances of success.
At Cyber Tec, our experience has shown that operating systems are continually overlooked during this process and can easily create some big headaches further down the line.
The operating system is the foundation layer of any device.
It manages hardware, runs applications, controls user access, handles updates and acts as an integral component for security. If any operating system is unsupported, out of date or unmanaged, it can quickly leave your organisation exposed to known vulnerabilities that attackers understand how to exploit.
This is not a simple IT hygiene issue.
Companies need to ask four basic questions of their operating systems:
What is installed?
Is it supported?
Is it updated?
Can they evidence all this clearly?
The answers to each of these create a stable framework to build upon as part of a cohesive Cyber Essentials strategy.
Cyber Essentials treats operating systems as part of your overall software estate. The NCSC Cyber Essentials requirements define software as including operating systems, commercial applications, scripts, libraries, network software and firmware.
This means that the following operating systems are affected when in use for in-scope devices.
The practical requirement here is visibility.
Maintaining an inventory that shows devices, operating system versions, vendor support status, update status and any unsupported systems that need remediation or segregation is the only way to keep that visibility auditable and up to date.
A supported operating system is one where the vendor still provides security updates or vulnerability fixes for the specific version in use.
An unsupported operating system may still turn on, run applications and appear normal to users. However, if it no longer receives security updates then new vulnerabilities may remain unprotected. That creates both a security risk and a potential Cyber Essentials compliance issue.
Organisations should therefore maintain a clear record of operating system versions, support status and known end-of-life dates across all in-scope devices.
|
Operating system |
Common use |
What to check for Cyber Essentials |
|
Windows |
Laptops, desktops and servers |
Exact version, edition, support status, patching records and Windows 10 transition plan |
|
macOS |
Macs and MacBooks |
Supported macOS version and current security updates |
|
Linux |
Servers, workstations and appliances |
Supported distribution/version and patching evidence |
|
iOS / iPadOS |
iPhones and iPads |
Whether devices access organisational data or services, and whether updates are enforced |
|
Android |
Phones, tablets and rugged devices |
Manufacturer/model support, as update availability varies across devices |
|
ChromeOS |
Chromebooks |
Auto Update Expiration date and whether updates are still available |
Your IT infrastructure is the ultimate target for cyber criminals.
Therefore, the key test to apply for in-scope questions is not simply who owns the device, but whether the device can access your company data or services.
A company laptop, a remote worker’s desktop and a personally owned tablet with work apps installed may all need to be considered. It is their capability to connect with an organisation’s data that makes them potentially vulnerable, and they must be treated as in-scope if they meet that criteria.
The issue of BYOD (Bring Your Own Device) is another common source of confusion in Cyber Essentials assessments. Every organisation should develop and maintain clear and actionable BYOD rules to clarify and monitor:
Which personal devices are permitted
What services they can access
Whether the device runs a supported operating system
Whether updates are enabled
It may also be advisable to establish whether the device requires controls such as screen locking, encryption, mobile device management or conditional access.
Real-World Examples:
A personal phone used only for MFA prompts may be out of scope as it acts only as an authentication device.
If that same phone is used to access work email, files or cloud applications such as Teams or SharePoint it is far more likely to fall within scope.
Cyber Essentials makes it clear that organisations must manage operating system updates properly. The official NCSC requirements state that all operating systems must be updated, including vulnerability fixes, within 14 days of release, where:
The update fixes vulnerabilities described by the vendor as ‘critical’ or ‘high risk’
There are no details of the level of vulnerabilities that the update fixes provided by the vendor
As ever, the detail and documentation is key.
In practice, businesses need to demonstrate a reliable patch management process for operating systems that can:
Identify relevant updates
Deploy them quickly
Produce evidence that every in-scope device is being kept up to date
Some organisations have legacy systems that can’t be upgraded easily such as:
Specialist software
Operational technology
Lab systems, manufacturing environments
Old servers or applications tied to older operating systems
These unsupported systems need a practical technical response with clear evidence. Risk acceptance alone is not enough. Identifying them early is the most appropriate course of action before deciding whether to:
All these options can be modelled and investigated well before certification is assessed to understand any business impact and resource efficiency.
Windows 10 is now a live compliance issue for many organisations as support officially ended in October 2025. Businesses still using Windows 10 should review affected devices and decide whether to upgrade, replace older hardware or use Microsoft’s Extended Security Updates route where appropriate.
For Cyber Essentials, this may mean removing Windows 10 devices from organisational use and segregating systems that cannot be upgraded.
As ever, documenting a full remediation plan before assessment is the only way to ensure you have identified the issue and recognised the requirement for change.
Tackling some of the most popular misconceptions is a rapid and simple way to stress test your Cyber Essentials preparation.
Here is a collection of what the Cyber Tec team hears most often:
“The OS is fine if the device still works”
“Automatic updates prove compliance”
“Our IT provider handles updates, so we do not need evidence”
“BYOD is always out of scope”
“A personal phone used only for MFA is basically a work device”
“Our ChromeOS devices are always compliant because they update automatically”
“Legacy systems can stay if the business accepts the risk”
The answer in each case is the same:
Cyber Essentials looks for supported, updated and properly managed systems, backed by evidence.
This evidence means that organisations should be ready to provide:
An up-to-date asset inventory
Operating system names and versions
Support status for each OS version
Patch and update policies
Patch deployment or MDM reports
BYOD policy and device access rules
Records of unsupported or legacy systems
Cyber Tec has over 30 years of experience helping businesses with their cybersecurity. We can help with the full Cyber Essentials certification journey through:
Assessing your current environments
Identifying unsupported operating systems on your business' devices
Reviewing update processes
Preparing evidence
Remediating issues before assessment
Contact the team today to start your cyber resilience journey.