Patch management
Patch management is the orderly process of identifying, assessing, testing and deploying software updates and security fixes in order to remediate known vulnerabilities in IT systems promptly and in a controlled manner.
Patch management refers to the structured lifecycle by which organisations capture, assess, test, approve and roll out software updates for operating systems, applications, firmware and network components. Its goal is to close known vulnerabilities before they can be exploited. Effective patch management relies on a complete inventory of the systems in use (asset inventory), continuous monitoring of vendor advisories and vulnerability intelligence, and a risk-based prioritisation that handles critical security gaps ahead of less urgent updates.
At its core sits a defined process: once a patch has been identified, its criticality is assessed – often based on the CVSS score of the associated vulnerability – along with its impact on business operations. Before going into production, patches are validated in a test environment to rule out stability and compatibility issues. The rollout then proceeds in a controlled fashion within defined maintenance windows, accompanied by change management, documentation and a fallback strategy (rollback) for the event of failure. Set deadlines for deploying particularly critical patches ensure that the window of opportunity for attackers is minimised.
Patch management is a central building block of vulnerability management and therefore of the technical measures used to control risk. Supervisory and standards frameworks expect it explicitly: the NIS2 Directive and its national transposition require appropriate technical measures to manage security risks, including handling vulnerabilities and securing supply chains. The German BSI IT-Grundschutz (module OPS.1.1.3 Patch and change management) as well as ISO/IEC 27001 (Annex A control 8.8 Management of technical vulnerabilities) likewise call for a documented, traceable and recurrently reviewed patching process.
Legal Basis
Art. 21(2) NIS2 Directive (EU) 2022/2555; Section 30 BSIG (NIS2 transposition); ISO/IEC 27001 Annex A 8.8; BSI IT-Grundschutz OPS.1.1.3
Practical Example
A mid-sized mechanical engineering company falls under the NIS2 obligations as an important entity. The information security officer establishes centralised patch management: a software distribution tool inventories all servers, clients and network devices and reconciles them daily with vendor advisories and the BSI warning list. When a vulnerability rated critical (CVSS 9.8) is found in the VPN appliance in use, she triggers the emergency patch process: the patch is validated in the test environment within 24 hours, then rolled out in an unscheduled maintenance window and documented with a timestamp, the responsible person and a rollback plan. She presents these records at the next audit, thereby demonstrating compliance with the legally required response deadlines.