1. Document Control

• Document Title: Patch Management Procedure

• Document Identifier: PRC-IT-004

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <IT Operations Manager>

• Approved By: <Chief Information Security Officer>

2. Purpose

The purpose of this Patch Management Procedure is to define a standardized approach for identifying, evaluating, testing, approving, deploying, and verifying software patches and updates across all systems and applications managed by . Timely and consistent application of patches is critical to minimizing security vulnerabilities, ensuring system stability, and maintaining compliance with regulatory and contractual requirements.

This procedure supports SOC 2 Trust Services Criteria CC8.1 and CC8.2, which require the implementation and monitoring of change and configuration controls. It also aligns with ISO/IEC 27001:2022 Controls A.8.10 (Management of technical vulnerabilities), A.5.28 (Secure development lifecycle), and A.5.30 (Protection of information systems during testing), ensuring that vulnerabilities are managed through effective patching practices.

3. Scope

This procedure applies to all managed:

• Servers, endpoints, and virtual machines

• Network devices, firewalls, and appliances

• Software applications, middleware, and databases

• Cloud-based platforms and SaaS environments

• Development, staging, and production systems

It covers operating system patches, application updates, firmware, and third-party libraries.

4. Procedure Statement

mandates a structured patch management lifecycle for all in-scope systems. The procedure shall include:

1. Patch Identification: Subscribe to trusted vulnerability feeds (e.g., NVD, vendor advisories) and perform automated scans to detect missing patches.

2. Patch Evaluation: Classify patches based on criticality using CVSS scores and asset sensitivity. Risk-ranked timeframes for remediation are:

   • Critical (CVSS ≥ 9.0): Within 48 hours

   • High (CVSS 7.0–8.9): Within 7 days

   • Medium (CVSS 4.0–6.9): Within 30 days

   • Low (CVSS < 4.0): Within 90 days or scheduled maintenance

3. Change Approval: Submit change requests for patch deployments via the formal Change Management Process. High-impact changes must be reviewed by the Change Advisory Board (CAB).

4. Patch Testing: All patches must be tested in non-production environments with rollback plans before deployment.

5. Patch Deployment: Deploy approved patches using automation tools where possible. Manual deployments require peer review.

6. Post-Deployment Verification: Perform rescans and system checks to confirm successful application.

7. Exception Handling: Justify and document any patch deferrals. Implement compensating controls and escalate to CISO.

5. Safeguards

To enforce this procedure, utilizes the following safeguards:

6. Roles and Responsibilities

• IT Operations Manager: Owns the patch management lifecycle and ensures coordination with other IT and Security functions.

• Security Team: Identifies vulnerabilities, classifies risk levels, and audits patching compliance.

• System Administrators: Implement patching on assigned systems, test changes, and log completion.

• Change Advisory Board (CAB): Reviews and approves patch plans that affect production systems.

• Developers: Patch development libraries and runtime environments as part of the secure SDLC.

7. Compliance and Exceptions

Compliance with this procedure is assessed via quarterly patch audits, vulnerability scan reports, and change management logs. Any exceptions must be approved in writing by the CISO, documented in the exception register, and subject to a compensating control plan and review.

Non-compliance with patching timelines may result in escalations to senior leadership and trigger additional scrutiny during internal or external audits.

8. Enforcement

Any employee or contractor who fails to comply with this procedure may be subject to disciplinary action in accordance with the Enforcement section of the Information Security Policy. Repeated or intentional violations may result in suspension of system access, formal warnings, or termination. Third-party vendors in breach may face contract termination or financial penalties.

All enforcement actions must be documented and reviewed by HR, Legal, and Information Security.

9. Related Policies/Documents

• POL-ALL-001: Information Security Policy

• POL-ALL-004: Change Management Policy

• PRC-IT-003: System Configuration Management Procedure

• PRC-IT-005: Vulnerability Management Procedure

• SOC 2 CC8.1, CC8.2

• ISO/IEC 27001:2022 Controls: A.8.10, A.5.28, A.5.30

10. Review and Maintenance

This document shall be reviewed annually or upon significant changes to infrastructure, regulatory requirements, or after major security incidents. The review is conducted by the IT Security Office, with change control updates logged in the document repository.