INFRA-4 Patch Management

Estimated reading: 2 minutes 1504 views

What is INFRA-4 Patch Management Control?

Patch management control states that vulnerabilities can be introduced into an organization through outdated software. Servers and workstations must be patched regularly. There isn’t a formal process to follow. It can be automated or manual, but the point is to have this documented and easily demonstrated.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, as we haven’t used them.

Patch Management tools
ManageEngine Patch Manager 

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version.

Control implementation

To implement this control,

  1. Take an inventory of critical software and endpoints to be patched.
  2. Define your patching process (depending on the nature of your software, document what is appropriate for each software).
  3. Follow your documented patching process and run the patches on a regular basis (you define the frequency based on your environment).

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action.

  1. Patching procedure that includes the inventory of software and endpoints to be patched.
  2. Patching maintenance schedule.
  3. Provide the most recent example of patching that was completed.

Evidence example

For the suggested action, an example is provided below:

  1. A patching procedure that includes the inventory of software and endpoints to be patched.
    Upload a policy or procedure. See the template for the main agenda topics to address in your procedure.
    A Patch Management Process Template serves as an evidence example.
  2. Provide a patch maintenance schedule and the most recent example of patch completion.
    It can be a recurring calendar event or a documented calendar, such as the one below:
    The following screenshot shows a patch maintenance calendar. (Google search results for “patch maintenance calendar”)
    (Google search results of “patch maintenance calendar”)
    INFRA 4 Patch Management

Join the conversation