Servers patched within SLA
Demonstrate that all in-scope servers receive security patches within the organization's documented SLA timeframes and that exceptions are formally approved and tracked.
Description
What this control does
This control ensures that servers are patched within a defined Service Level Agreement (SLA) timeframe, typically measured from the date a patch is released or identified as critical. Organizations establish risk-based patching windows (e.g., critical patches within 7 days, high within 30 days) and track compliance through vulnerability management systems and configuration management databases. Timely patching reduces the window of exposure to known vulnerabilities that adversaries actively exploit.
Control objective
What auditing this proves
Demonstrate that all in-scope servers receive security patches within the organization's documented SLA timeframes and that exceptions are formally approved and tracked.
Associated risks
Risks this control addresses
- Attackers exploit known vulnerabilities with publicly available exploits before patches are applied, leading to unauthorized system access
- Ransomware operators leverage unpatched server vulnerabilities to gain initial foothold and deploy encryption payloads across the environment
- Compliance violations occur due to failure to remediate vulnerabilities within regulatory or contractual timeframes, resulting in fines or sanctions
- Lateral movement by threat actors through unpatched servers after initial compromise of a single system
- Data exfiltration through exploitation of known SQL injection, remote code execution, or privilege escalation vulnerabilities in outdated server software
- Service disruption when adversaries exploit unpatched servers to launch denial-of-service attacks or disruptive malware campaigns
- Increased technical debt and remediation costs as vulnerabilities age and systems become increasingly difficult to patch without operational impact
Testing procedure
How an auditor verifies this control
- Obtain the organization's server patching policy and documented SLA timeframes for each severity level (critical, high, medium, low).
- Request a complete inventory of in-scope servers including operating systems, applications, and current patch levels from the CMDB or asset management system.
- Extract vulnerability scan results and patch compliance reports from the vulnerability management platform for the past 90 days.
- Select a stratified random sample of 25-30 servers across different criticality levels, business units, and server types (Windows, Linux, database, web).
- For each sampled server, identify the most recent critical and high-severity patches applicable to its configuration and document their release dates.
- Compare actual patch installation dates against the SLA deadline for each vulnerability, calculating the time delta and identifying SLA breaches.
- Review exception and remediation tracking systems for any servers with documented SLA violations, verifying that formal exception approvals and compensating controls are in place.
- Interview system administrators and patch management personnel to validate the patch deployment workflow, approval process, and escalation procedures for SLA breaches.
Where this control is tested