Vulnerability and Patch Management Policy

The Vulnerability and Patch Management Policy (P19) defines the structured approach required for identifying, classifying, remediating, and monitoring technical vulnerabilities and software flaws within all assets governed by the organization’s Information Security Management System (ISMS). Its primary aim is to reduce risk exposure from unaddressed weaknesses by ensuring a coordinated process for vulnerability assessment, prioritization, remediation, and compliance tracking, tailored to the operational priorities and regulatory landscape relevant to the organization. The policy applies company-wide to all information systems, applications, network infrastructure, firmware, cloud resources, APIs, endpoints, servers, virtual infrastructure, and third-party platforms regardless of hosting environment. Binding on both internal teams and external service providers, it mandates a complete lifecycle approach, beginning with regular vulnerability scanning and discovery, through risk scoring and patch acquisition, to timely deployment, exception handling, monitoring, and reporting. Special emphasis is given to authenticated, risk-adjusted scanning at defined intervals, particularly for internet-facing or high-value assets, with associated procedures for onboarding new systems and maintaining compliance throughout their lifecycle. Roles and responsibilities are precisely delineated to foster accountability. The CISO owns policy integration and risk alignment; vulnerability management leads oversee operational delivery; system and application owners are charged with applying remediations and validating system stability; IT operations teams execute changes within established windows, and security analysts maintain vigilance through continuous threat monitoring and updated risk assessments. Formal requirements are in place for third-party vendors to ensure external systems adhere to the same patch SLAs, with periodic audits and controls over their patch management processes. A governance framework, including a centrally maintained Vulnerability Management Register and risk-based SLAs, underpins the policy. The system enforces patch urgency according to severity (as determined by CVSS scoring), asset criticality, and exposure, while integrating with change management policy for traceability and stability. Detailed exceptions protocols stipulate requirements for formal approval, compensating controls, review cadence, time limits for critical risks, and mandatory tracking in designated ISMS registers. Policy enforcement relies on ongoing compliance monitoring, status reporting, and structured escalation. The policy also mandates audits, retrospective investigations after incidents, and a robust review/update protocol to ensure continued alignment with evolving regulatory obligations, technological changes, and high-profile threat intelligence. It is directly linked to foundational policies, such as information security, change management, risk management, asset management, logging and monitoring, and incident response, to ensure end-to-end coverage.