Patch policy with SLAs by severity
Demonstrate that the organization maintains and enforces a patch management policy with documented, severity-based SLAs that govern the timeframe for deploying security patches to all in-scope systems.
Description
What this control does
This control requires a documented patch management policy that defines mandatory service level agreements (SLAs) for remediation of vulnerabilities based on severity ratings (e.g., critical, high, medium, low). The policy specifies timeframes within which patches must be tested, approved, and deployed to production systems after vendor release or vulnerability discovery. Organizations typically align severity classifications with CVSS scores or vendor ratings and set progressively shorter deadlines for higher-severity issues (e.g., critical patches within 15 days, high within 30 days). This control ensures predictable, risk-proportionate response to security vulnerabilities and prevents accumulation of exploitable weaknesses.
Control objective
What auditing this proves
Demonstrate that the organization maintains and enforces a patch management policy with documented, severity-based SLAs that govern the timeframe for deploying security patches to all in-scope systems.
Associated risks
Risks this control addresses
- Exploitation of publicly disclosed critical vulnerabilities due to delayed patching beyond safe windows
- Inconsistent patching practices across business units leading to unpatched systems serving as pivot points for lateral movement
- Compromise via zero-day or N-day exploits in environments where high-severity patches are deprioritized without formal risk acceptance
- Regulatory penalties or breach notification obligations stemming from failure to patch known vulnerabilities within industry-standard timeframes
- Operational disruption from emergency patching activities conducted without testing when accumulated patch debt forces reactive responses
- Loss of cyber insurance coverage or increased premiums due to failure to meet insurer-mandated patching requirements
Testing procedure
How an auditor verifies this control
- Obtain the current patch management policy document and verify it includes explicit SLA definitions tied to vulnerability severity levels (critical, high, medium, low).
- Review the policy to confirm it specifies numeric timeframes (e.g., days from vendor release or discovery) for each severity tier and covers all major asset categories (servers, workstations, network devices, cloud infrastructure).
- Request the vulnerability management system configuration and verify severity classification logic matches policy definitions (e.g., CVSS score ranges mapped to internal severity tiers).
- Select a sample of 15-20 vulnerabilities from the past 12 months spanning all severity levels and extract records showing discovery date, patch availability date, deployment date, and system identifiers.
- Calculate the elapsed time between patch availability and deployment completion for each sample item and compare against policy SLAs to identify breaches.
- For any SLA breaches identified, obtain documentation of formal risk acceptance, change control delays, or compensating controls that justified the delay.
- Interview IT operations and security teams to confirm awareness of SLA requirements and verify existence of alerting or tracking mechanisms that flag approaching SLA deadlines.
- Review patch management reporting dashboards or automated compliance reports to confirm ongoing measurement of SLA adherence and escalation of overdue items to management.
Where this control is tested