Skip to main content

Pro audit program · v1.0

Patch Management Maturity

How fast are you patching workstations, servers, network gear and third-party apps? 8-question maturity check.

  • General target area
  • CIS Controls framework
  • 8 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

How fast are you patching workstations, servers, network gear and third-party apps? 8-question maturity check.

Risks addressed

  • Critical Unpatched workstation exploited via drive-by / phish
  • Critical Public-facing server compromised via known CVE
  • High Legacy systems remain unpatchable without compensating controls
  • High Network gear firmware lag introduces RCE / auth bypass risk

Controls (8)

  1. Patch policy with SLAs by severity

    High

    Patch policy with SLAs by severity

    How to test + evidence

    Testing procedure: Review policy: critical <=7d, high <=14d, medium <=30d (or local equivalent).

    Evidence to collect: Policy document.

  2. Asset inventory drives patching scope

    High

    Asset inventory drives patching scope

    How to test + evidence

    Testing procedure: Confirm the asset inventory feeds the patch tool; no shadow devices.

    Evidence to collect: Inventory-to-patch crosswalk.

  3. Workstations patched within SLA

    High

    Workstations patched within SLA

    How to test + evidence

    Testing procedure: Pull patch compliance report for endpoints; >=95% within SLA over 90 days.

    Evidence to collect: Patch tool dashboard.

  4. Servers patched within SLA

    High

    Servers patched within SLA

    How to test + evidence

    Testing procedure: Same as above for server estate.

    Evidence to collect: Patch tool dashboard.

  5. Third-party app patching covered

    Medium

    Third-party app patching covered

    How to test + evidence

    Testing procedure: Confirm browsers, Java, Adobe etc. are managed (not just OS).

    Evidence to collect: Software inventory + tool coverage.

  6. Network gear firmware patched

    Medium

    Network gear firmware patched

    How to test + evidence

    Testing procedure: Routers, switches, firewalls patched within vendor recommended cadence.

    Evidence to collect: Firmware version inventory.

  7. Exception process for unpatchable systems

    Medium

    Exception process for unpatchable systems

    How to test + evidence

    Testing procedure: Compensating controls + risk acceptance documented for any legacy systems.

    Evidence to collect: Exception register.

  8. Vulnerability scans verify patch state

    High

    Vulnerability scans verify patch state

    How to test + evidence

    Testing procedure: Authenticated scans confirm patch state matches the patch tool.

    Evidence to collect: Recent scan + reconciliation.