Do work computers and phones get OS / app security updates promptly?
Demonstrate that the organization deploys operating system and application security updates to work computers and mobile devices within documented timeframes and maintains evidence of patch compliance across the endpoint fleet.
Description
What this control does
This control ensures that operating systems and applications on organizational endpoints (workstations, laptops, mobile devices) receive security patches and updates within defined timeframes after vendor release. It typically involves automated patch management systems that inventory devices, assess patch status, deploy updates in phases (testing then production), and report compliance. Prompt patching reduces the window of exposure to known vulnerabilities that attackers actively exploit, particularly zero-day and high-severity flaws disclosed in vendor advisories.
Control objective
What auditing this proves
Demonstrate that the organization deploys operating system and application security updates to work computers and mobile devices within documented timeframes and maintains evidence of patch compliance across the endpoint fleet.
Associated risks
Risks this control addresses
- Exploitation of publicly disclosed vulnerabilities with available patches, allowing remote code execution or privilege escalation on unpatched endpoints
- Ransomware propagation leveraging known OS vulnerabilities that remain unpatched beyond the exploit window
- Lateral movement by threat actors who compromise one unpatched device and pivot to others with identical unmitigated vulnerabilities
- Data exfiltration through vulnerable applications that lack security updates addressing authentication bypass or information disclosure flaws
- Non-compliance with regulatory or contractual obligations requiring timely patch application (e.g., PCI DSS, HIPAA)
- Business disruption from widespread endpoint compromise due to delayed patching during active exploitation campaigns
- Loss of vendor support and security intelligence when endpoints run unsupported OS versions that no longer receive updates
Testing procedure
How an auditor verifies this control
- Obtain the organization's patch management policy and identify documented timelines for deploying critical, high, moderate, and low-severity updates to endpoints.
- Request an inventory export from the endpoint management or mobile device management (MDM) platform showing all active workstations and mobile devices under management.
- Select a stratified random sample of at least 25 endpoints across device types (Windows workstations, macOS laptops, iOS devices, Android devices) and business units.
- For each sampled endpoint, review the patch assessment report or agent console showing installed OS version, last patch scan date, and pending/missing security updates.
- Compare the installed patch levels against the vendor's current security bulletin to identify any missing critical or high-severity updates released more than the policy-defined interval ago.
- Review patch deployment logs or change tickets for the most recent critical vulnerability (e.g., within the last 90 days) to verify timeline from vendor release to production deployment.
- Interview IT operations staff to understand the testing and approval process, rollback procedures, and handling of out-of-band emergency patches.
- Examine exception or waiver records for any endpoints granted temporary exemptions from patching requirements, validating compensating controls and approval authority.