Patch Management

Patch management is the structured process by which organizations identify, assess, test, and deploy software updates (patches) for their IT systems—with the goal of closing known security vulnerabilities before attackers can exploit them.

The Patch Management Process

1. Detection: Automated monitoring for new patches (vendor notifications, CVE feeds, WSUS, SCCM, MDM)
2. Assessment: Is the patch relevant? Which systems are affected? Check CVSS score and EPSS probability
3. Testing: Deploy patch in test/staging environment; verify functionality and compatibility
4. Approval: Formal change management process (CAB approval for critical systems)
5. Deployment: Roll out to production systems—staggered by risk class
6. Verification: Confirm successful installation, re-scan

Patch Prioritization by SLA

Recommended SLAs based on CVSS + EPSS:

• Critical + actively exploited (KEV): 24–48 hours
• Critical (CVSS ≥ 9.0): 7 days
• High (CVSS 7.0–8.9): 14 days
• Medium (CVSS 4.0–6.9): 30 days
• Low (CVSS < 4.0): 90 days

Patch Management in Practice

Challenges:

• Dependencies: Patch A breaks application B
• Availability: Production systems cannot simply be restarted
• End-of-life software: No more vendor support, no official patches
• Complexity: Thousands of systems and applications in larger enterprises

Tools:

• Microsoft: WSUS, SCCM, Windows Update for Business, Intune
• Linux: Ansible, Chef, Puppet, apt/yum automation
• Enterprise: Qualys VMDR, Tenable, Ivanti Patch Management, ManageEngine

Compliance Relevance

BSI IT-Grundschutz OPS.1.1.3 explicitly requires a patch and change management process.

ISO 27001 A.12.6.1 requires timely management of technical vulnerabilities.

NIS2 Art. 21 mandates vulnerability and patch management as part of risk management.

Key Metric

Patch Compliance Rate: Percentage of systems patched within the SLA timeframe. Target: >95% for critical and highly critical vulnerabilities.