INF-008 Patch Management
Description
Security patches are applied to all production systems within defined timelines based on severity. Critical security patches are applied within a documented emergency window. Patch status is tracked and reported. Systems that cannot be patched promptly have compensating controls documented.
Rationale
Timely patching closes known vulnerability windows. SLA-bound patching with compensating controls for exceptions provides the structured rigour needed to pass audits.
Framework Mappings (4)
| TVM-05 | Detection Updates | full |
| TVM-06 | External Library Vulnerabilities | full |
| 8.8 | Management of technical vulnerabilities | partial |
| SI-2 | Flaw Remediation | full |
Evidence (2)
Patch compliance report showing patch status across all production systems, including patch age and compliance against defined SLA timelines.
Example: AWS Systems Manager Patch Manager compliance report, Qualys patch report, or equivalent showing patch status per system, days since patch release, and SLA compliance percentage for the current patch cycle
Test: Request the most recent patch compliance report. Verify: (1) all in-scope production systems appear in the report; (2) critical and high severity patches are applied within the documented SLA window; (3) systems outside SLA have a documented exception with a compensating control; (4) reports are generated at the defined frequency.
Patch management policy or procedure defining severity-based patching timelines, emergency patch process, and compensating control requirements for delayed patches.
Example: Patch Management Policy or Procedure document (version-controlled, approved within the last 12 months) specifying SLA windows by CVSS severity band and the exception approval process
Test: Request the patch management policy. Verify: (1) SLA timelines are defined for each severity band (critical, high, medium, low); (2) an emergency patching procedure is defined; (3) the exception process requires documented compensating controls; (4) the document is approved by a named owner.
Questions (2)
Are security patches applied to all production systems within defined SLA timelines based on severity, with tracked remediation and documented compensating controls for exceptions?
A formal patch management policy should define timelines per severity band (critical, high, medium, low) and include an emergency patching process for zero-day or actively exploited vulnerabilities.
What is the defined patching SLA for high severity patches (CVSS 7.0–8.9) in production systems?
30 days is the widely accepted baseline for high severity patches. 14 days is considered strong practice. Anything beyond 30 days requires documented compensating controls.