Scribd
Upload
27 views2 pages

Audit Checks 3

The document outlines a series of assessment questions related to Patch Management, focusing on governance, asset management, patch identification, testing, deployment, and integration with change management processes. It emphasizes the need for documented policies, defined roles, risk assessment, and validation procedures. Additionally, it addresses the importance of automation, monitoring, and minimizing business disruption during patch deployment.

Uploaded by

Gaali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views2 pages

Audit Checks 3

The document outlines a series of assessment questions related to Patch Management, focusing on governance, asset management, patch identification, testing, deployment, and integration with change management processes. It emphasizes the need for documented policies, defined roles, risk assessment, and validation procedures. Additionally, it addresses the importance of automation, monitoring, and minimizing business disruption during patch deployment.

Uploaded by

Gaali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Assessor Remarks and

Sl.No# Section Assessment Questions – Patch Management


Observations
1 Governance & Policy Is there a formally documented Patch Management Policy and Procedure?
2 Governance & Policy Who is responsible for maintaining and approving the patch management policy?
3 Governance & Policy How often is the patch management policy reviewed and updated?
Does the policy define roles and responsibilities for patch identification, testing,
4 Governance & Policy
deployment, and validation?
Is there an up-to-date inventory of all IT assets(including applications) in scope for
5 Asset & Scope Management
patching?
6 Asset & Scope Management Are all critical systems and applications included in the patch management scope?
7 Asset & Scope Management How is asset criticality classified and prioritized for patching?
Patch Identification & Risk
8 What sources are used to identify new patches?
Assessment
Patch Identification & Risk
9 How frequently are patches reviewed and assessed for applicability?
Assessment
Patch Identification & Risk
10 Is there a documented process for assessing the risk and urgency of each patch?
Assessment
Patch Identification & Risk
11 Are CVSS scores or other risk metrics used to prioritize patches?
Assessment
12 Patch Testing & Approval Is there a defined process for testing patches in a non-production environment?
13 Patch Testing & Approval How is patch compatibility with existing systems and applications validated?
14 Patch Testing & Approval Are rollback procedures documented and tested in case a patch causes issues?
15 Patch Testing & Approval Who approves patches for deployment into production?
16 Patch Deployment What tools or platforms are used for patch deployment?
17 Patch Deployment Is patch deployment automated or manual? If automated, how is it monitored?

1
18 Patch Deployment Are deployment windows defined to minimize business disruption?
19 Patch Deployment How are exceptions or deferrals documented and approved?
Change Management
20 Are patch deployments integrated with the organization’s change management process?
Integration
Change Management
21 Are change tickets created and approved before patch deployment?
Integration

You might also like