Skip to content
cyber-security.eu
DEEN

Patch management

Patch management decides how fast known vulnerabilities are closed. It is unglamorous routine work and reduces the risk of many incidents significantly.

Who this page is for

IT and security leaders, administrators, auditors and anyone structuring patching.

What is patch management?

Patch management is the structured process of closing vulnerabilities in operating systems, applications, firmware and cloud services - planned, documented and traceable.

Why speed matters

Known vulnerabilities are often weaponised quickly. Waiting for weeks invites avoidable incidents. Ransomware regularly exploits unpatched systems.

Prioritisation

Criticality of the vulnerability, exposure on the network, asset importance, available workarounds and active exploitation in the wild drive the order. Integrate with vulnerability management.

Common mistakes

Incomplete asset inventory, missing maintenance windows, unclear ownership, weak communication with business units, infrequent server or firmware updates, missing verification.

Scenario

A mid-sized company patches endpoints monthly, servers quarterly and firmware yearly. A critical vulnerability in an internet-facing service is closed within 48 hours through a defined emergency window.

Checklist

  • Complete asset inventory
  • Defined maintenance windows per system class
  • Prioritisation by criticality and exposure
  • Emergency process for critical patches
  • Communication with business units rehearsed
  • Verification and reporting

Frequently asked questions

+How fast must I patch?

There is no universal pace. Critical internet-facing systems may need hours to days, isolated systems may tolerate longer windows.

+What about third-party software?

Often the larger risk. Third-party patches deserve the same discipline.

Related topics

Vulnerability management

Vulnerability management is more than the occasional scan. It is a continuous process of finding, assessing, prioritising, fixing and verifying.

Cybersecurity for business

Effective enterprise security combines governance with concrete technical and organisational controls. This page shows what decision makers and IT leaders should focus on first - calm, practical and clearly prioritised.

Cybersecurity for SMEs

SMEs do not need enterprise security architecture, but they do need the right basics. This page shows which measures deliver the most impact on a limited budget and which common mistakes are easy to avoid.

Ransomware: risks and first response

Ransomware remains one of the most expensive cyber risks. It is typically the result of a chain of weaknesses rather than a single click. This page covers typical patterns, effective controls and an orderly first response.

Cloud security

Cloud security combines safe configuration, strong identities, good logging and clear responsibility. This page outlines the core building blocks.