INFRA-4 Patch Management

What is this control about?

Vulnerabilities can be introduced into an organization through outdated software. Server and, workstations must be patched regularly. There isn’t a formal process to follow. It can be automated or manual, but the point is to have this documented and easily demonstrated.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them.

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Patch Management document template

Control implementation

Take an inventory of critical software and endpoints to be patched

Define your patching process (depends on the nature of your software, document what is appropriate for each software)

Follow your documented patching process and run the patches on a regular basis (you define the frequency based on your environment)

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action.

• Patching procedure that includes the inventory of software and endpoints to be patched
• Patching maintenance schedule
• Provide a most recent example of patching that was completed

Evidence example

From the suggested action above, an example is provided below.

1.    Document the patching process that includes the inventory of software and endpoints to be patched.

Upload a policy or procedure. See template for main agenda topics to address in your procedure.

No screenshot deemed necessary, as template provided serve as artifact example

2.     Provide a patch maintenance schedule and most recent example of patching completion.

It can be a recurring calendar event or a documented calendar such as the one below:

(Google search results of “patch maintenance calendar”)