Skip to main content

Management of Patch and System Update Guidelines



All parties responsible for the maintenance of applications and systems.

Policy Statement:

Asset Owners and the supporting organization must take timely and appropriate action in the identification of relevant patches and system updates to ensure the ongoing functionality of systems and applications, and to minimize the risk of exploitation of recognized and announced vulnerabilities. Implementation of these guidelines will help to better manage risk by:

  • Obtaining timely information about updates and technical vulnerabilities of information systems and applications;
  • Evaluating the value of the patch or update in terms of functionality, problem resolution, prerequisite installation, vulnerability avoidance or reduction, vendor recommendations or requirements, potential impact to systems and/or users, etc.; and
  • Implementing appropriate measures to address any identified risk.


ISO 27002: 12.6, 12.6.1

Original Issue Date:

July 2013

Revision Dates:

August 2013
March 2015

Additional Information:
Support Contact: Back to top