Assessor Remarks and
Sl.No# Section Assessment Questions – Patch Management
Observations
1 Governance & Policy Is there a formally documented Patch Management Policy and Procedure?
2 Governance & Policy Who is responsible for maintaining and approving the patch management policy?
3 Governance & Policy How often is the patch management policy reviewed and updated?
Does the policy define roles and responsibilities for patch identification, testing,
4 Governance & Policy
deployment, and validation?
Is there an up-to-date inventory of all IT assets(including applications) in scope for
5 Asset & Scope Management
patching?
6 Asset & Scope Management Are all critical systems and applications included in the patch management scope?
7 Asset & Scope Management How is asset criticality classified and prioritized for patching?
Patch Identification & Risk
8 What sources are used to identify new patches?
Assessment
Patch Identification & Risk
9 How frequently are patches reviewed and assessed for applicability?
Assessment
Patch Identification & Risk
10 Is there a documented process for assessing the risk and urgency of each patch?
Assessment
Patch Identification & Risk
11 Are CVSS scores or other risk metrics used to prioritize patches?
Assessment
12 Patch Testing & Approval Is there a defined process for testing patches in a non-production environment?
13 Patch Testing & Approval How is patch compatibility with existing systems and applications validated?
14 Patch Testing & Approval Are rollback procedures documented and tested in case a patch causes issues?
15 Patch Testing & Approval Who approves patches for deployment into production?
16 Patch Deployment What tools or platforms are used for patch deployment?
17 Patch Deployment Is patch deployment automated or manual? If automated, how is it monitored?
1
18 Patch Deployment Are deployment windows defined to minimize business disruption?
19 Patch Deployment How are exceptions or deferrals documented and approved?
Change Management
20 Are patch deployments integrated with the organization’s change management process?
Integration
Change Management
21 Are change tickets created and approved before patch deployment?
Integration