Patch management
Demonstrate that the organization systematically identifies vulnerabilities in operating systems, applications, and firmware, and deploys security patches within defined timeframes aligned to risk severity.
Description
What this control does
Patch management is the process of identifying, testing, approving, and deploying security updates and software patches to systems, applications, and firmware across the enterprise. Organizations maintain an inventory of all patchable assets, establish risk-based prioritization criteria (such as CVSS scores or vendor severity ratings), and enforce deployment timelines based on criticality—often 30 days for critical vulnerabilities, shorter for actively exploited flaws. Effective patch management reduces the attack surface by closing known vulnerabilities before adversaries can exploit them, while minimizing operational disruption through change control and rollback procedures.
Control objective
What auditing this proves
Demonstrate that the organization systematically identifies vulnerabilities in operating systems, applications, and firmware, and deploys security patches within defined timeframes aligned to risk severity.
Associated risks
Risks this control addresses
- Exploitation of publicly disclosed vulnerabilities with available exploit code or active exploitation in the wild
- Unauthorized remote code execution through unpatched web servers, databases, or application frameworks
- Ransomware and worm propagation leveraging unpatched operating system vulnerabilities (e.g., SMBv1, PrintSpooler)
- Privilege escalation by attackers exploiting kernel or driver vulnerabilities in unpatched endpoints
- Compromise of internet-facing infrastructure due to delayed patching of critical VPN, firewall, or load balancer firmware
- Compliance violations and audit findings resulting in financial penalties or suspension of certifications
- Operational disruption or data loss caused by unplanned emergency patching or system failures from exploitation
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the current patch management policy, including defined roles, responsibilities, patching timelines, and severity classification criteria.
- Request a complete asset inventory extract showing all systems, applications, and firmware subject to patch management, including last scan date and ownership.
- Review the vulnerability scanning configuration and reports from the past 90 days to verify coverage across all in-scope assets and scanning frequency.
- Select a representative sample of 15-25 critical and high-severity vulnerabilities disclosed in the past 90 days and trace their identification, assessment, approval, and deployment through ticketing or change control records.
- For each sampled vulnerability, validate the actual deployment timeline against the organization's policy thresholds by reviewing patch deployment logs, configuration management database (CMDB) records, or endpoint management console reports.
- Examine exception and risk acceptance documentation for any vulnerabilities that exceeded policy timelines, verifying appropriate management approval and compensating controls.
- Verify the existence and test results of a patch testing environment or process, including evidence of rollback procedures for at least one recent patch deployment.
- Interview IT operations and security teams to confirm patch deployment coordination, emergency patching procedures, and handling of zero-day vulnerabilities.
Where this control is tested