Patch Management
Keep systems and software up to date with security patches.
9 of 9 frameworks cover this control
Framework Mappings
How Patch Management maps to each of the 6 cybersecurity frameworks tracked by ControlMap.
| Framework | Status | Control IDs |
|---|---|---|
| NIST CSF 2.0 | Covered | PR.PS-01 |
| ISO 27001 | Covered | A.8.8 A.8.19 |
| CIS v8 | Covered | CIS 7.3 CIS 7.4 |
| SOC 2 | Covered | CC7.1 |
| PCI DSS | Covered | 6.3.1 6.3.3 |
| CMMC | Covered | SI.L2-3.14.1 |
| 800-53 | Covered | SI-2 CM-3 |
| HIPAA | Covered | §164.308(a)(1)(ii)(A) §164.308(a)(8) |
| GDPR | Covered | Art.32(1)(d) |
About Patch Management
Patch Management is a cybersecurity control in the Protect domain. Keep systems and software up to date with security patches. Patch management is the systematic process of identifying, testing, and deploying security updates to operating systems, applications, firmware, and third-party software to remediate known vulnerabilities. Organizations should establish risk-based patching timelines, such as critical patches within 72 hours and high-severity patches within 30 days, while maintaining a testing process to avoid disrupting production systems. Automated patch management tools, combined with accurate asset inventories, help ensure comprehensive coverage and reduce the window of exposure to known exploits.
This control is recognized by 9 of the 6 major frameworks: NIST CSF 2.0, ISO 27001, CIS v8, SOC 2, PCI DSS, CMMC, 800-53, HIPAA, GDPR. It has full coverage across all ${FW_KEYS.length} frameworks.