Question: Are vulnerability assessments and patch management processes implemented for all endpoints and workloads?
Why This Matters
Unpatched systems remain the easiest path for attackers. Regular scanning and timely patching close known doors before they are exploited.
Maturity
0 — Unaware
No structured patching; updates ad-hoc.
No structured patching; updates ad-hoc.
1 — Ad Hoc
Manual updates applied occasionally; no visibility on coverage.
Manual updates applied occasionally; no visibility on coverage.
2 — Defined
Monthly patch cycle established; basic vulnerability scanning.
Monthly patch cycle established; basic vulnerability scanning.
3 — Managed
Critical vulnerabilities patched within SLA; results tracked.
Critical vulnerabilities patched within SLA; results tracked.
4 — Integrated
Automated patch deployment and exception handling via tooling.
Automated patch deployment and exception handling via tooling.
5 — Optimized
Risk-based patch prioritization using threat intel and exploit likelihood.
Risk-based patch prioritization using threat intel and exploit likelihood.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Enable automatic OS and application updates. |
| 1 → 2 | Deploy centralized vulnerability scanner and schedule monthly scans. |
| 2 → 3 | Track patch compliance; define critical/medium/low categories with SLAs. |
| 3 → 4 | Automate patching through WSUS, Intune, or Ansible; maintain rollback plan. |
| 4 → 5 | Incorporate threat intelligence to prioritize exploitable vulnerabilities. |
Enablers
- People: Patch coordinator, system owners.
- Process: Patch calendar, vulnerability review board, change control integration.
- Technology: WSUS/Intune, OpenVAS/Nessus, Ansible automation.
Evidence
- Latest vulnerability scan reports.
- Patch compliance dashboard.
- Approved exception register.
KPIs
- Percentage of critical patches applied within SLA.
- Average vulnerability age.
- Number of pending high-risk exceptions.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Vulnerability scanning | OpenVAS / Nmap vulners | Community edition scanners. |
| Patch automation | Ansible / WSUS | Scheduled playbooks or native OS services. |
| Reporting | Grafana + Prometheus | Track patch metrics visually. |
Common Pitfalls
- Delays due to lack of testing window.
- Ignoring third-party or browser updates.
- No rollback strategy for failed patches.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | A.8.8 (Vulnerability Management) |
| CERT-In 2022 | Section 7 (Vulnerability and Patch Management) |
| DPDP Act 2023 | Sec 9 (Security Safeguards) |
| NIST CSF 2.0 | PR.IP-12 / DE.CM-08 |
| NIRMATA Mapping | EP-Q04 baseline for maturity Level ≥ 3 during assessments. |