Patch Management (Security Update Management)

Patch management — recently renamed to Security Update Management in the scheme — is the fifth control. The scheme requires every piece of software on every in-scope device to be kept on a vendor-supported version and to have patches for high-severity and critical vulnerabilities (CVSS 7.0 or higher) applied within 14 days of vendor release.

What the scheme requires

Every in-scope device must run software that is on a vendor-supported version (no end-of-life operating systems, no end-of-life applications).

Patches for high-severity (CVSS 7.0+) and critical vulnerabilities must be applied within 14 days of vendor release.

Routine patches for lower-severity vulnerabilities should be applied on a regular cadence.

Where a device cannot be patched within 14 days (e.g. a critical line-of-business application that requires testing), a documented compensating control must be in place.

Auto-update should be enabled where the vendor supports it and the firm has tested the update path.

What the assessor checks on assessment day

Runs vulnerability scans against in-scope devices and checks every high-severity and critical finding against the 14-day window from vendor release date.

Reviews the installed application versions on sampled devices for end-of-life software.

Confirms automatic update settings on the operating system, browsers, and major productivity tools.

Where compensating controls are documented, verifies the documentation is current and the control is actually in place.

Common gaps we see

Across CE Plus engagements, the following gaps recur on this control. None require deep architectural change. Most are operational discipline that drifted between annual assessments.

Practice-management or line-of-business application one major version behind the vendor release because the upgrade requires retraining and nobody scheduled the time.

OS patches applied via the MSP's RMM but application-layer patches outside the RMM scope (browsers, browser plug-ins, third-party SaaS desktop tools).

End-of-life software still in use because a single user needs it for a niche workflow and IT has not made the case for replacement.

Firmware on the perimeter firewall, network switches, or VOIP gear lagging the vendor release by months because the MSP relies on the network vendor to manage updates.

The other four controls

Firewalls

Boundary firewalls and personal firewalls block unauthorised inbound traffic and restrict outbound connections to known-good destinations.

Secure Configuration

Devices and software are configured to remove or disable unused services, change default passwords, and apply secure baseline settings.

User Access Control

Access to data and services is controlled through individual accounts with appropriate privileges, and administrative privileges are tightly restricted.

Malware Protection

Every in-scope device runs malware protection (anti-virus or equivalent) configured to scan in real-time and update its signatures regularly.

← Back to the Five Controls hub

Need help with patch management (security update management)?

Net Sec Group is an IASME Certification Body. We scope the gap list across all five controls before the formal CE Plus engagement so the assessment passes first time. Tell us your device count and timeline; we come back inside 4 hours.