Patch management is the process of identifying, testing, and deploying software updates that fix security vulnerabilities and bugs in operating systems, applications, and firmware. Unpatched software is one of the most exploited attack vectors, the majority of breaches involve vulnerabilities for which patches were available but not applied. A structured patch management program is essential for maintaining a defensible security posture.
Effective patch management requires knowing what software is installed across the environment. A complete software inventory, mapped to vendor patch release schedules, provides the foundation for a proactive patching program. Critical and high-severity vulnerabilities should be patched within 14 days of release, while moderate vulnerabilities should be addressed within 30 days.
Automation is key to sustainable patch management. Manual patching does not scale and is error-prone. Tools like Microsoft WSUS, Intune, Automox, or Ivanti can automate the deployment of patches across endpoints and servers, with the ability to stage rollouts, schedule maintenance windows, and report on compliance rates. Cloud-based patch management tools are particularly valuable for organizations with remote workforces.
Not all patches can be deployed immediately. Some updates require testing to ensure compatibility with business-critical applications. A risk-based approach prioritizes patches based on the severity of the vulnerability, the exposure of the affected system, and the availability of active exploits. Patches for actively exploited vulnerabilities (as tracked by CISA's Known Exploited Vulnerabilities catalog) should be treated as emergencies and deployed as quickly as possible.
Patch management is a standard topic on cyber insurance applications. Insurers ask about patching cadence, the timeframe for deploying critical patches, and whether the organization uses automated patch management tools. Unpatched systems are involved in a significant percentage of ransomware and data breach claims, making this a critical underwriting factor.
Organizations that can demonstrate a documented patch management policy with defined timelines, automated deployment, and compliance reporting are viewed as lower-risk. Insurers may also ask specifically about end-of-life software, systems that no longer receive security patches, and whether such systems are isolated or replaced.
HIPAA requires organizations to protect against reasonably anticipated threats, which includes applying security patches. Healthcare environments often include legacy systems and medical devices with delayed patch cycles. Organizations should implement compensating controls for devices that cannot be patched immediately.
Law firms rely on a diverse set of applications including case management, document management, and billing systems. Each must be included in the patch management program. The ABA's duty of technology competence extends to keeping systems current with security updates.
PCI-DSS Requirement 6.3.3 mandates that critical patches be applied within one month of release. FFIEC guidance requires financial institutions to maintain a formal patch management program. Bank examiners specifically assess patching practices and compliance rates during examinations.
PCI-DSS Requirement 6.3.3 requires installation of critical security patches within one month of release for systems in the cardholder data environment. Retail organizations with distributed POS systems must ensure patches are deployed across all locations, including franchise and seasonal sites.
NIST 800-171 control SI.L2-3.14.1 requires flaw remediation, including patching. CISA's Binding Operational Directive 22-01 requires federal agencies and contractors to remediate known exploited vulnerabilities within specific timeframes. CMMC assessors verify that patching procedures are documented and followed.
Maintain a complete inventory of all software and operating systems deployed in the environment
Deploy automated patch management tools to streamline distribution across endpoints and servers
Establish patching timelines: 14 days for critical vulnerabilities, 30 days for moderate, 90 days for low
Monitor CISA's Known Exploited Vulnerabilities catalog and treat listed vulnerabilities as emergencies
Generate monthly patch compliance reports and remediate non-compliant systems promptly
Identify and develop a plan to replace or isolate end-of-life software that no longer receives patches
Want to know how your organization measures up on this control?
Take the free assessment →