Skip to content
Home » IT Policies » Patch Management Policy

Patch Management Policy

1. Purpose

The purpose of this Patch Management Policy is to establish requirements for the identification, evaluation, testing, deployment, verification, and monitoring of software patches and updates across organizational systems and applications.

Timely patch management is essential to maintaining the security, stability, and reliability of information systems. Software vulnerabilities, defects, and configuration weaknesses can expose the organization to cybersecurity threats, operational disruptions, and compliance risks. This policy provides a structured approach for managing patches throughout their lifecycle and reducing risks associated with unpatched systems.

2. Scope

This policy applies to:

  • All employees
  • Contractors
  • Consultants
  • Temporary personnel
  • Interns
  • Third-party personnel responsible for managing organizational systems

This policy applies to:

  • Servers
  • Workstations
  • Laptops
  • Mobile devices
  • Network devices
  • Security appliances
  • Applications
  • Databases
  • Operating systems
  • Cloud services
  • Virtual environments
  • Containers
  • Internet-facing systems

The policy applies to all organization-owned, managed, or controlled technology assets.

3. Policy Statement

The organization shall maintain a formal Patch Management Program to ensure security patches, updates, bug fixes, firmware updates, and vendor-released corrections are identified, evaluated, tested, deployed, and verified in a timely manner.

Patches shall be prioritized and deployed based on risk, business impact, system criticality, and vulnerability severity.

All systems shall be maintained at supported software versions whenever feasible.

4. Objectives

The objectives of this policy are to:

  • Reduce security risks associated with known vulnerabilities.
  • Improve the security and stability of systems.
  • Minimize exposure to cyber threats.
  • Establish consistent patch management practices.
  • Support regulatory and compliance requirements.
  • Reduce operational disruptions caused by outdated software.
  • Improve visibility into patch status across the environment.
  • Promote continuous improvement of system security.

5. Definitions

Patch

A software update designed to correct vulnerabilities, defects, bugs, performance issues, or functionality problems.

Security Patch

A patch released to address a security vulnerability or security-related weakness.

Firmware Update

An update applied to embedded software running on hardware devices.

Emergency Patch

A patch requiring accelerated deployment due to active exploitation, significant risk, or critical operational impact.

Patch Management

The process of identifying, testing, deploying, verifying, and monitoring software updates.

Supported Software

Software currently supported by the vendor through security updates and maintenance releases.

6. Roles and Responsibilities

Executive Management

Responsible for:

  • Supporting the Patch Management Program.
  • Providing appropriate resources.
  • Reviewing significant patch-related risks.

Information Security Team

Responsible for:

  • Monitoring vulnerability and threat information.
  • Identifying security-related patch requirements.
  • Supporting patch prioritization.
  • Monitoring compliance.
  • Reporting patch management metrics.

Information Technology Team

Responsible for:

  • Managing patch deployment activities.
  • Testing patches where appropriate.
  • Implementing approved updates.
  • Maintaining patch records.
  • Verifying successful deployment.

System Owners

Responsible for:

  • Supporting patch deployment activities.
  • Evaluating business impact.
  • Approving maintenance windows where necessary.
  • Ensuring systems remain supported.

Employees

Responsible for:

  • Allowing approved updates to be installed.
  • Reporting issues associated with updates.
  • Following organizational technology requirements.

7. Patch Management Program

The organization shall maintain a documented Patch Management Program that includes:

  • Asset identification
  • Patch identification
  • Patch evaluation
  • Risk assessment
  • Patch testing
  • Deployment planning
  • Patch deployment
  • Verification
  • Reporting
  • Continuous improvement

The program shall be reviewed periodically for effectiveness.

8. Asset Inventory Requirements

Patch management activities shall be based on an accurate inventory of organizational assets.

The inventory shall include, where applicable:

  • Servers
  • Workstations
  • Mobile devices
  • Applications
  • Databases
  • Network devices
  • Security appliances
  • Cloud resources
  • Virtual systems

Assets shall be categorized according to business criticality and risk.

9. Patch Identification

The organization shall monitor sources of patch information including:

  • Vendor security advisories
  • Vendor update notifications
  • Vulnerability intelligence sources
  • Security bulletins
  • Industry alerts
  • Managed service providers where applicable

Relevant patches shall be reviewed promptly upon release.

10. Patch Evaluation

Identified patches shall be evaluated to determine:

  • Security significance
  • Vulnerability severity
  • Exploit availability
  • Business impact
  • Operational impact
  • Compatibility considerations
  • Regulatory implications

Patch deployment priorities shall be based on risk.

11. Patch Testing

Patches shall be tested before deployment whenever practical.

Testing activities may include:

  • Compatibility testing
  • Functionality testing
  • Performance validation
  • Security validation
  • Integration testing

Testing requirements may vary based on system criticality and risk.

Emergency patches may follow accelerated testing procedures.

12. Patch Prioritization

Patch deployment priorities shall consider:

  • Vulnerability severity
  • Known active exploitation
  • Internet exposure
  • Asset criticality
  • Data sensitivity
  • Compliance requirements
  • Operational impact

Priority classifications may include:

  • Critical
  • High
  • Medium
  • Low

Prioritization criteria shall be documented and consistently applied.

13. Security Patch Deployment Requirements

Security patches shall be deployed according to organizational risk tolerance and established timelines.

Target deployment timeframes are as follows:

Critical Security Patches

  • Deploy within 15 calendar days

High-Risk Security Patches

  • Deploy within 30 calendar days

Medium-Risk Security Patches

  • Deploy within 90 calendar days

Low-Risk Security Patches

  • Deploy within 180 calendar days

More aggressive timelines may be required for actively exploited vulnerabilities.

14. Emergency Patching

Emergency patching procedures may be initiated when:

  • Active exploitation is identified
  • Critical vulnerabilities are disclosed
  • Regulatory requirements demand immediate action
  • Significant operational risk exists

Emergency patching may include:

  • Accelerated approval processes
  • Reduced testing periods
  • Emergency maintenance windows

Emergency activities shall be documented.

15. Operating System Updates

Supported operating systems shall receive:

  • Security updates
  • Vendor maintenance updates
  • Critical bug fixes

Unsupported operating systems shall be upgraded, replaced, isolated, or formally risk accepted.

16. Application Updates

Applications shall be maintained at supported versions whenever feasible.

Application patching shall address:

  • Security vulnerabilities
  • Vendor-released fixes
  • Critical functionality issues
  • Supported version requirements

Unsupported applications shall be reviewed for replacement or remediation.

17. Firmware and Infrastructure Updates

Network devices, security appliances, and other infrastructure components shall receive firmware and software updates as appropriate.

Examples include:

  • Firewalls
  • Switches
  • Routers
  • Wireless controllers
  • Storage systems
  • Security appliances

Infrastructure updates shall be evaluated according to risk and operational impact.

18. Cloud Service Updates

Cloud-hosted systems shall be monitored for patching responsibilities.

Where the organization manages cloud systems, patch management requirements shall apply.

Where cloud providers manage patching activities, vendor responsibilities shall be documented and periodically reviewed.

19. Change Management Integration

Patch deployment activities shall comply with organizational Change Management requirements.

Patch-related changes shall include:

  • Documentation
  • Risk evaluation
  • Testing records
  • Approval records where applicable
  • Deployment tracking

Emergency changes shall follow documented emergency change procedures.

20. Verification and Validation

Patch deployments shall be verified to ensure successful installation.

Verification methods may include:

  • Automated reporting
  • Configuration validation
  • Vulnerability rescanning
  • System reviews
  • Manual inspections

Failed deployments shall be investigated and corrected.

21. Patch Compliance Monitoring

The organization shall monitor patch compliance across the environment.

Monitoring activities may include:

  • Automated patch reporting
  • Vulnerability scans
  • Compliance dashboards
  • Security reviews
  • Audit activities

Non-compliant systems shall be identified and remediated.

22. Exceptions

Exceptions to patching requirements must:

  • Be documented
  • Include business justification
  • Include risk assessment
  • Identify compensating controls
  • Be approved by management
  • Include review and expiration dates

Accepted risks shall be monitored regularly.

23. Third-Party and Vendor Systems

Where third parties manage organizational systems, contracts and service agreements should address patch management responsibilities.

Third parties may be required to:

  • Maintain supported software
  • Apply security updates
  • Report patching status
  • Demonstrate compliance with contractual requirements

Vendor patching practices shall be reviewed periodically.

24. Metrics and Reporting

The organization shall maintain patch management metrics that may include:

  • Patch compliance rates
  • Percentage of overdue patches
  • Time to deploy critical patches
  • Number of unsupported systems
  • Patch deployment success rates
  • Emergency patch activity
  • Vulnerability remediation performance

Metrics shall be reviewed periodically by management.

25. Compliance and Auditing

Compliance with this policy shall be verified through:

  • Internal audits
  • External audits
  • Vulnerability assessments
  • Security reviews
  • Compliance assessments

Findings shall be documented and addressed through corrective action processes.

26. Enforcement

Violations of this policy may result in:

  • Removal of system access
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

27. Review and Maintenance

This policy shall be reviewed:

  • At least annually
  • Following major technology changes
  • Following significant security incidents
  • Following regulatory changes
  • Following material changes to the Patch Management Program

Updates shall be approved by executive management.

28. Related Policies

  • Information Security Policy
  • Vulnerability Management Policy
  • Secure Configuration Policy
  • Change Management Policy
  • Security Risk Management Policy
  • Asset Management Policy
  • Incident Response Policy
  • Security Control Framework Policy

29. Policy Approval

Policy Owner: Chief Information Security Officer (CISO) or Information Security Manager

Approved By: Executive Management

Effective Date: __________________

Review Date: __________________

Version: 1.0