Vulnerability and Patch Management

Organizations should ensure Operating System (OS) and application levels are current. This is necessary to ensure vulnerabilities are patched.  Additionally, a Vulnerability Management (VM) & Patching program should be executed to ensure vulnerability scans are performed and system patches are applied on a timely basis.


Expert Opinion - Vulnerability Management


Control Objective

  • Policy is documented, approved, followed, reviewed, and updated regularly
  • Scans to be performed prior to & following production launch
  • Systems must be patched regularly to ensure current OS and application levels
  • Vulnerability assessments are regularly conducted as part of a program and vulnerabilities must be rated according to criticality
  • High and critical vulnerabilities must be remediated through patching, decommission, or compensating controls


OCIO Patch Standard v2.2 (last updated Feb 18, 2021)