Skip to content

Patch Management Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to platforms, customer SLAs, or criticality definitions

Purpose

This policy defines operating system and security patch management for endpoints used for company and customer work.

Scope

This policy applies to Linux and Windows endpoints that access company or customer systems, repositories, or data.

Policy

Non-emergency operating system patches are reviewed and applied on at least a monthly cadence. Critical security patches are assessed without undue delay and remediated within seven calendar days where technically feasible and compatible with customer change windows.

Process

  1. Personnel monitor vendor security advisories and operating system update channels for their platform.
  2. Standard patches are applied in the monthly maintenance window or sooner when risk and stability allow.
  3. Critical patches receive priority scheduling within the seven-day target.
  4. When a patch cannot be applied in the target window due to compatibility, vendor delay, or customer-imposed freeze, the reason and compensating controls are documented and approved by management.
  5. Endpoints that remain materially non-compliant may be denied customer access until remediated.

Records

Typical evidence includes OS update history, package manager logs, Windows Update reporting, endpoint compliance exports, or equivalent attestation suitable for audit or customer review.