Patch Management
Structured update procedure
Practitioner's note: This article is practice-oriented compliance documentation, not legal advice. We are a compliance specialist, not a law firm. For legally binding information please consult a licensed lawyer.
TL;DR
Patch management under Section 30 (2) no. 7 BSIG is the structured identification, assessment, testing and deployment of software updates. Standard: NIST SP 800-40, ISO 27002 (8.8).
What is Patch Management?
Patch management cycle:
- Identify vulnerability (CVE feed, vendor advisory)
- Assess criticality (CVSS score)
- Test patch (staging environment)
- Deploy and roll out
- Verify and document
Best-practice cycles:
- Critical patches: 24-72h
- High: 1 week
- Medium: 1 month
- Low: 3 months
Practical example
Microsoft Patch Tuesday: 12 patches. CVSS >9: 2 patches → immediately. CVSS 7-8.9: 4 patches → 1 week. Remaining: 1 month.
Frequently asked questions
Tools?
MS Defender for Endpoint, Tanium, ManageEngine Patch Manager.
Vulnerability scan?
Recommended weekly; tools: Nessus, Qualys, OpenVAS.