Available patches and/or security fixes are installed in compliance with set and approved policies (including those for operating systems, databases and installed applications) and recommendations of CERT and/or suppliers.
Specification
Only supported services can be used. End-of-Life or End-of-Support software is not allowed.
All software is tested and installed according to a documented and defined patch cycle.
Patching takes place in accordance with the change management process.
Unpatched systems will be treated in accordance with the vulnerability management process. Use the CVSS scores to define the criticality of the required patch.
Patches including critical security updates are installed as soon as possible. Critical security updates should be applied at the latest within 72 hours.
ISO 27001 & 27002:2022
A12.6.1
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.06 Patchmanagement