Skip to main content
← All controls
CIS-7.3 / SI-2 / A.12.6.1 CIS Controls v8

Is patching automated for routine OS/software updates?

Demonstrate that routine OS and software updates are deployed automatically through configured patch management systems with minimal manual intervention.

Description

What this control does

This control ensures that operating system and application software patches are deployed automatically through enterprise patch management systems, reducing manual intervention and time-to-patch for routine, non-critical updates. Automated patching leverages pre-approved update policies, scheduled maintenance windows, and rollback capabilities to maintain current patch levels across endpoints, servers, and infrastructure. This control mitigates exposure windows between vulnerability disclosure and remediation by eliminating human delay in deploying vendor-released security updates.

Control objective

What auditing this proves

Demonstrate that routine OS and software updates are deployed automatically through configured patch management systems with minimal manual intervention.

Associated risks

Risks this control addresses

  • Exploitation of publicly disclosed vulnerabilities due to delayed manual patching cycles
  • Inconsistent patch deployment across endpoints creating pockets of vulnerable systems attackers can target
  • Human error or resource constraints causing indefinite deferral of critical security updates
  • Mass exploitation during vulnerability disclosure periods before manual patch approval processes complete
  • Privilege escalation attacks leveraging unpatched local OS or application vulnerabilities
  • Malware propagation through unpatched systems acting as initial access vectors in lateral movement
  • Non-compliance with regulatory requirements mandating timely security patch deployment

Testing procedure

How an auditor verifies this control

  1. Obtain the organization's patch management policy and identify defined categories for routine versus emergency patches.
  2. Inventory all patch management platforms in use (e.g., WSUS, SCCM, Jamf, Puppet, Ansible, cloud-native tools) and request administrative access or configuration exports.
  3. Review automation configurations for each platform including auto-approval rules, deployment schedules, maintenance windows, and target device groups.
  4. Select a sample of 15-20 endpoints and servers spanning different OS types, business units, and criticality levels for testing.
  5. Query patch management system logs to verify automated deployment activity for the past 90 days for sampled systems.
  6. Compare installed patch levels on sampled systems against vendor security bulletins released in the past 60 days to identify deployment lag.
  7. Interview IT operations staff to confirm manual intervention frequency, emergency override procedures, and rollback capabilities.
  8. Test one recent routine patch deployment by reviewing approval timestamps, deployment logs, success rates, and mean time to deployment across the estate.
Evidence required Configuration exports from patch management platforms showing auto-approval rules, deployment policies, and maintenance schedules. Patch deployment logs covering 90 days with timestamps, target systems, patch identifiers, and success/failure status. System-level patch inventory reports from sampled endpoints and servers showing installed update versions and installation dates.
Pass criteria Automated patch deployment is configured and operational for routine OS and software updates with evidence showing regular deployments within 30 days of vendor release and deployment success rates exceeding 90% across sampled systems.