2026-03-08
By Emre SalmanogluPatch Management: The Complete Guide for Compliance and Security Teams
Learn how to implement patch management that satisfies ISO 27001, SOC 2, NIS2, and DORA requirements. Covers patching strategies, SLA timelines, vulnerability prioritisation, and compliance evidence.
patch management
vulnerability management
security updates
compliance
cybersecurity
What Is Patch Management?
Patch management is the systematic process of identifying, testing, and deploying software updates to fix security vulnerabilities and bugs across an organisation's IT environment. Unpatched vulnerabilities remain one of the most exploited attack vectors, making patch management one of the most impactful security controls an organisation can implement.
For compliance-driven organisations, patch management is a core control required by ISO 27001, SOC 2, NIS2, and DORA, with auditors specifically examining patching policies, SLA compliance, and exception management.
Patching SLA Framework
| Severity | CVSS Score | Patch SLA | Example |
|---|---|---|---|
| Critical | 9.0-10.0 | 24-72 hours | Remote code execution, zero-day exploits |
| High | 7.0-8.9 | 7-14 days | Privilege escalation, authentication bypass |
| Medium | 4.0-6.9 | 30 days | Information disclosure, cross-site scripting |
| Low | 0.1-3.9 | 90 days | Minor information leakage, low-impact bugs |
Patch Management Process
| Phase | Activities | Output |
|---|---|---|
| Discovery | Identify available patches from all vendors | Patch inventory with severity ratings |
| Assessment | Evaluate applicability and risk of each patch | Prioritised patch list |
| Testing | Test patches in staging environment for compatibility | Test results and approval |
| Planning | Schedule deployment windows, prepare rollback plans | Deployment schedule and change requests |
| Deployment | Deploy patches to production systems | Deployment confirmation logs |
| Verification | Scan to confirm patches applied, test functionality | Post-patch scan results |
| Reporting | Document compliance, track exceptions | Patch compliance report |
Patch Management Tools
| Category | Tools | Use Case |
|---|---|---|
| Enterprise | SCCM/MECM, Ivanti, ManageEngine | Large on-premises environments |
| Cloud-native | AWS Systems Manager, Azure Update Manager | Cloud infrastructure patching |
| Unified | Automox, Tanium, NinjaRMM | Cross-platform and hybrid environments |
| Container | Dependabot, Renovate, Snyk | Application dependency patching |
| Linux | Canonical Livepatch, Red Hat Satellite | Linux server environments |
| Vulnerability | Qualys, Tenable, Rapid7 | Vulnerability-driven patch prioritisation |
Patch Compliance Metrics
| Metric | Target | How to Measure |
|---|---|---|
| Patch compliance rate | > 95% | Systems patched within SLA ÷ total systems |
| Mean time to patch (critical) | < 72 hours | Average days from release to deployment |
| Critical patch coverage | 100% | Critical patches applied within SLA |
| Exception count | < 5% of assets | Systems with approved exceptions |
| Patch failure rate | < 2% | Patches requiring rollback |
| Scan coverage | 100% | Assets included in vulnerability scanning |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA |
|---|---|---|---|---|
| Vulnerability management | A.8.8 | CC7.1 | Art. 21(2)(e) | Art. 9(2) |
| Timely patching | A.8.8 | CC7.1 | Art. 21(2)(e) | Art. 9(2) |
| Change management | A.8.32 | CC8.1 | Art. 21(2)(e) | Art. 9(4)(e) |
| Risk assessment | A.8.8 | CC3.2 | Art. 21(2)(a) | Art. 9(1) |
| Testing | A.8.29 | CC8.1 | Art. 21(2)(e) | Art. 9(4)(e) |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| Patch management policy | Documented policy with SLAs by severity | All frameworks |
| Patch compliance reports | Monthly reports showing SLA adherence | All frameworks |
| Exception register | Documented exceptions with risk acceptance and remediation plans | All frameworks |
| Vulnerability scan results | Pre and post-patch scan comparisons | All frameworks |
| Change records | Change tickets for patch deployments | ISO 27001, SOC 2 |
| Test results | Evidence of patch testing before production deployment | All frameworks |
| Rollback procedures | Documented procedures for failed patches | ISO 27001, DORA |
Common Mistakes
| Mistake | Risk | Fix |
|---|---|---|
| No defined patching SLAs | No accountability for patching speed | Document severity-based SLAs in policy |
| Patching OS but not applications | Third-party application vulnerabilities exploited | Include all software in patch scope |
| No staging environment testing | Patches break production systems | Test in staging before production deployment |
| Ignoring firmware and IoT | Network devices and IoT remain vulnerable | Include firmware in patch inventory |
| Manual tracking only | Patches missed, compliance gaps undetected | Use automated patch management tools |
| No exception process | Unpatched systems with no documentation or risk acceptance | Formal exception process with compensating controls |
How Orbiq Supports Patch Management Compliance
Orbiq helps you demonstrate patch management controls:
- Evidence collection — Centralise patch policies, compliance reports, and exception registers
- Continuous monitoring — Track patch compliance rates and SLA adherence
- Trust Center — Share your vulnerability management posture via your Trust Center
- Compliance mapping — Map patching controls to ISO 27001, SOC 2, NIS2, and DORA
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- Vulnerability Management — Comprehensive vulnerability lifecycle
- Change Management — Change control for patch deployments
- Endpoint Security — Endpoint protection including patching
- Cloud Security — Patching in cloud environments
- DevSecOps — Automated patching in CI/CD pipelines