Patch Management

Patch management is the process of identifying, testing and installing software updates to close security vulnerabilities. Missing patches are one of the most common causes of successful cyber attacks and can be avoided with a structured process.

Back to Dictionary

What is patch management?

A patch is a software update that fixes bugs, closes security vulnerabilities or improves functionality. Patch management is the structured process that ensures patches are identified, tested, approved and installed in a timely manner on all relevant systems.

Missing patches are one of the most exploited attack vectors. Many of the major cyber attacks in history exploited known vulnerabilities for which patches had been available for weeks or months. Vulnerability scanning reveals these gaps, but only patch management closes them.

Patch management is closely linked to configuration management (keeping track of what is installed), endpoint security (protecting endpoints against exploitation) and monitoring (detecting attempts to exploit unpatched systems).

The patch management process

A structured patch management process includes:

Inventory: Know all systems and software in the organisation. You cannot patch what you do not know exists. Configuration management and a CMDB are the foundation.
Identification: Monitor vendor releases and security advisories. Vulnerability scanning identifies systems with missing patches.
Assessment: Prioritise patches based on the severity of the vulnerability (CVSS score) and the criticality of the system.
Testing: Test patches in a test environment to ensure compatibility with existing applications. This is especially important for business-critical systems.
Deployment: Install patches according to a set schedule. Use automated tools for endpoints and planned maintenance windows for servers.
Verification: Confirm that patches have been installed correctly. Scanning after patching verifies that the vulnerabilities have actually been closed.

Prioritisation

Not all patches are equally critical. A risk-based approach ensures that the most important patches are installed first:

Critical (CVSS 9.0-10.0): Vulnerabilities that can be exploited remotely without authentication and grant full control of the system. Patch within 24-72 hours. If patching is not possible, implement compensating controls such as network segmentation.

High (CVSS 7.0-8.9): Serious vulnerabilities with limited conditions for exploitation. Patch within one week.

Medium (CVSS 4.0-6.9): Vulnerabilities with moderate risk. Patch within 30 days via the normal patch cycle.

Low (CVSS 0.1-3.9): Vulnerabilities with limited impact. Patch in the next scheduled maintenance window.

Use threat intelligence to adjust prioritisation. A vulnerability with a low CVSS score that is being actively exploited should be prioritised higher than the score alone would suggest.

Regulations and standards

CIS 18 addresses patch management in Control 7 (continuous vulnerability management), requiring timely identification and patching of vulnerabilities.

ISO 27001 and Annex A include control A.8.8 on the management of technical vulnerabilities. An ISMS should define a patch management policy as part of technical and organisational measures.

NIS2 requires organisations to handle vulnerabilities proactively. DORA imposes specific requirements on patch management of financial institutions' ICT systems. Under GDPR, patch management is a fundamental measure for protecting personal data.

Frequently Asked Questions about Patch Management

How quickly should patches be installed?

Critical security patches should be installed within 24-72 hours. High-risk patches within one week. Medium and low-risk patches within 30 days. Prioritisation should be based on the severity of the vulnerability and the criticality of the system.

What do you do if a patch cannot be installed?

If a patch cannot be installed immediately (for example due to compatibility issues), you should implement compensating controls. These may include network segmentation, additional monitoring or temporarily disabling the vulnerable feature.

Should patches be tested before installation?

Yes, on critical systems patches should be tested in a test environment first. Verify that business-critical applications function correctly after patching. For endpoints, you can roll patches out to a pilot group first.