Patch Management
The systematic process of identifying, evaluating, testing, and deploying software updates (patches) to fix security vulnerabilities, address bugs, and maintain the integrity of systems and applications across the organization's infrastructure.
Patch management is a critical operational security process that directly addresses the window of exposure between when a vulnerability is publicly disclosed and when it is remediated in an organization's environment. Unpatched systems are one of the most commonly exploited attack vectors — many major breaches, including WannaCry and the Equifax breach, exploited known vulnerabilities for which patches were available but had not been applied. A mature patch management process identifies applicable patches from operating system vendors, application providers, and open-source project maintainers, assesses their criticality and relevance, tests them in non-production environments, and deploys them according to defined timelines based on severity.
Patch management is a compliance requirement across all major frameworks. ISO 27001 Annex A control A.8.8 addresses the management of technical vulnerabilities, requiring organizations to obtain timely information about vulnerabilities, evaluate exposure, and take appropriate measures. SOC 2 requires that system components are protected from vulnerabilities by installing security-relevant software and firmware updates in a timely manner. NIS2 mandates vulnerability handling as a core cybersecurity risk management measure. In technology due diligence, assessors evaluate patching cadence, coverage, and the age of unpatched vulnerabilities as key indicators of security operations maturity.
Effective patch management requires balancing security urgency with operational stability. Organizations should define patching SLAs based on vulnerability severity — critical vulnerabilities might require patching within 24-72 hours, while low-severity issues might have a 30-day window. Automated patch management tools can streamline the process for operating systems and common applications, but custom applications, embedded systems, and legacy infrastructure may require manual processes. Organizations should maintain a patch compliance dashboard that tracks the patching status of all assets, identify and document exceptions where patches cannot be applied (with compensating controls), and integrate patch management with vulnerability scanning to verify that patches are successfully applied. Container-based and immutable infrastructure models can simplify patching by rebuilding images with updated dependencies rather than patching running systems.
Related frameworks
Related terms
Asset Management
The process of identifying, classifying, documenting, and managing the lifecycle of information assets — including hardware, software, data, and cloud services — to ensure they are appropriately protected according to their value and sensitivity.
Change Management
A structured process for evaluating, approving, implementing, and documenting changes to information systems, infrastructure, and processes in a controlled manner that minimizes the risk of unintended disruptions or security vulnerabilities.
Endpoint Protection
Security solutions and practices designed to protect end-user devices such as laptops, desktops, mobile phones, and servers from cyber threats including malware, ransomware, and unauthorized access.
Vulnerability Assessment
A systematic process of identifying, quantifying, and prioritizing security vulnerabilities in systems, networks, and applications. Unlike penetration testing, vulnerability assessments focus on discovering weaknesses rather than exploiting them.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment