OS version policy + non-compliant remediation
Demonstrate that the organization maintains an enforced operating system version policy with defined minimum baselines and that non-compliant systems are systematically identified and remediated through documented procedures.
Description
What this control does
This control establishes and enforces a formally documented policy defining minimum acceptable operating system versions across the enterprise, coupled with a structured remediation workflow for devices running non-compliant versions. The policy typically specifies version baselines, patch currency thresholds, and exceptions criteria, while remediation procedures define detection cadence, escalation paths, quarantine or isolation measures, and timelines for bringing systems into compliance. This control matters because outdated OS versions accumulate known vulnerabilities that attackers routinely exploit, and without enforcement mechanisms, policy declarations remain ineffective.
Control objective
What auditing this proves
Demonstrate that the organization maintains an enforced operating system version policy with defined minimum baselines and that non-compliant systems are systematically identified and remediated through documented procedures.
Associated risks
Risks this control addresses
- Exploitation of publicly disclosed vulnerabilities present in unsupported or outdated operating system versions for which no patches exist
- Lateral movement by threat actors leveraging privilege escalation vulnerabilities unpatched in legacy OS versions
- Loss of vendor support and security updates leading to indefinite exposure to emerging threats
- Data breach through exploitation of kernel or system-level flaws documented in CVE databases but unaddressed in end-of-life operating systems
- Compliance violations and regulatory penalties when operating systems fall below mandated baseline versions
- Operational disruption from ransomware or malware specifically targeting known vulnerabilities in deprecated OS releases
- Shadow IT proliferation as users deploy unsupported systems without visibility into version compliance status
Testing procedure
How an auditor verifies this control
- Obtain and review the current OS version policy document, noting defined minimum versions for each operating system family (Windows, macOS, Linux distributions, mobile platforms) and the approval date.
- Retrieve the complete inventory of all endpoints, servers, and computing devices from the configuration management database (CMDB) or asset management system, including OS type and version.
- Compare the policy-defined minimum versions against the actual deployed versions in the inventory to identify all non-compliant systems.
- Review the documented remediation procedure for non-compliant systems, verifying it includes detection frequency, notification process, escalation timelines, and isolation/quarantine measures.
- Select a sample of systems identified as non-compliant within the past 90 days and trace each through the remediation workflow by examining ticketing system records, approval chains, and resolution timestamps.
- Examine automated scanning or monitoring tool configurations to verify they are set to flag OS versions below policy thresholds and generate alerts or tickets.
- Interview IT operations and security personnel to confirm awareness of the policy, understanding of remediation responsibilities, and adherence to documented timelines.
- Review exception requests and approvals for any systems granted waivers to operate below minimum versions, validating documented risk acceptance and compensating controls.
Where this control is tested