Content library
Technical vulnerability management
Defining a patch management process
Development and cloud
Technical vulnerability management

Defining a patch management process

Start free trial

Task description

Defining a patch management process

The organisation should have an adequate patch management procedure defined and implemented. This should include the testing and installation of patches.

There should measures to minimize the risk related to patch management and verification of successful installation of patches.

The patch management should be automated when possible (for example operating system updates).

The patch management process should take into account the requirements set by frameworks or other requiremetns they need to comply with.

Requirements connected to the task

5.2.5: Vulnerability management
TISAX: Information security
7.3: Perform Automated Operating System Patch Management
CIS 18 controls

Other tasks from the same security theme

Task name
Priority
Policy
Other requirements
Regularly conducting penetration testing with predefined goals and scope
Critical
High
Normal
Low
Technical vulnerability management
4
requirements

Examples of other requirements this task affects

3.4.2: Involve relevant stakeholders in advance
NSM ICT-SP
3.4.1: Plan penetration testing with defined goals and scope
NSM ICT-SP
3.4.4: Perform regular penetration testing (at least annually) to identify vulnerabilities
NSM ICT-SP
18.2: Perform Periodic External Penetration Tests
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Regularly conducting penetration testing with predefined goals and scope
Regularly conducting threat-led penetration testing (TLPT)
Critical
High
Normal
Low
Technical vulnerability management
2
requirements

Examples of other requirements this task affects

Article 26: Advanced testing of ICT tools, systems and processes based on TLPT
DORA
Article 36: ICT security testing
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Regularly conducting threat-led penetration testing (TLPT)
Process for managing technical vulnerabilities
Critical
High
Normal
Low
Technical vulnerability management
41
requirements

Examples of other requirements this task affects

12.6.1: Management of technical vulnerabilities
ISO 27001
14.2.1: Secure development policy
ISO 27001
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
RS.AN-5: Vulnerability management process
NIST
See all related requirements and other information from tasks own page.
Go to >
Process for managing technical vulnerabilities
The goals of threat intelligence and the collection of information related to information security threats
Critical
High
Normal
Low
Technical vulnerability management
20
requirements

Examples of other requirements this task affects

5.7: Threat intelligence
ISO 27001
77: Menettely toimintaympäristön seuraamiseen
Digiturvan kokonaiskuvapalvelu
Article 13: Learning and evolving
DORA
4.1: Tietojärjestelmien tietoturvallisuus
TiHL tietoturvavaatimukset
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
The goals of threat intelligence and the collection of information related to information security threats
Minimizing the risk of attack by limiting attack surfaces
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

Article 13.1(.2.j): Limit attack surfaces
CRA
See all related requirements and other information from tasks own page.
Go to >
Minimizing the risk of attack by limiting attack surfaces
Secure configuration of products
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

Article 13.1(.2.b): Secure configuration
CRA
See all related requirements and other information from tasks own page.
Go to >
Secure configuration of products
Remediation of vulnerabilities in third-party components
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

Article 13.6: Vulnerabilities in third party components
CRA
See all related requirements and other information from tasks own page.
Go to >
Remediation of vulnerabilities in third-party components
Software Bill of Materials (SBOM)
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

Vuln.1: Identifying and documenting vulnerabilities
CRA
See all related requirements and other information from tasks own page.
Go to >
Software Bill of Materials (SBOM)
Management of vulnerabilities
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

No items found.
See all related requirements and other information from tasks own page.
Go to >
Management of vulnerabilities
Process for vulnerability disclosure
Critical
High
Normal
Low
Technical vulnerability management
2
requirements

Examples of other requirements this task affects

Art. 24.2.e.2: Sicurezza dell'acquisizione
NIS2 Italy
Article 13.17: Single point of contact
CRA
See all related requirements and other information from tasks own page.
Go to >
Process for vulnerability disclosure
Validation of security measuers after penetration testing
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

18.4: Validate Security Measures
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Validation of security measuers after penetration testing
Establishing and maintaining a severity rating system for application vulnerabilities
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

16.6: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Establishing and maintaining a severity rating system for application vulnerabilities
Performing root cause analysis on security vulnerabilities
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

16.3: Perform Root Cause Analysis on Security Vulnerabilities
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Performing root cause analysis on security vulnerabilities
Conducting automated vulnerability scans of externally-exposed enterprise assets
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Conducting automated vulnerability scans of externally-exposed enterprise assets
Conducting automated vulnerability scans of internal enterprise assets
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Conducting automated vulnerability scans of internal enterprise assets
Standards for submitting vulnerability reports
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

39: Koordinēta ievainojamību atklāšana
NIS2 Latvia
See all related requirements and other information from tasks own page.
Go to >
Standards for submitting vulnerability reports
Process for vulnerability remediation
Critical
High
Normal
Low
Technical vulnerability management
4
requirements

Examples of other requirements this task affects

40.(1): Ievainojamību atklāšana un novēršana
NIS2 Latvia
40.(2): Neaizsargātību novēršanas grafiks
NIS2 Latvia
Art. 24.2.e.2: Sicurezza dell'acquisizione
NIS2 Italy
Article 13.1(.2.a): Known exploitable vulnerabilities
CRA
See all related requirements and other information from tasks own page.
Go to >
Process for vulnerability remediation
Use of vulnerability scanning and attack tools
Critical
High
Normal
Low
Technical vulnerability management
2
requirements

Examples of other requirements this task affects

3.4.3: Use vulnerability scanning tools and attack tools
NSM ICT-SP
Article 13.1(.2.a): Known exploitable vulnerabilities
CRA
See all related requirements and other information from tasks own page.
Go to >
Use of vulnerability scanning and attack tools
Communicating the results of penetration tests
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

3.4.6: Communicate the results of penetration tests to relevant stakeholders
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Communicating the results of penetration tests
Defining a patch management process
Critical
High
Normal
Low
Technical vulnerability management
4
requirements

Examples of other requirements this task affects

5.2.5: Vulnerability management
TISAX
7.3: Perform Automated Operating System Patch Management
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Defining a patch management process
Assessments for defining the scope for threat-led penetration testing (TLPT)
Critical
High
Normal
Low
Technical vulnerability management
3
requirements

Examples of other requirements this task affects

Article 26: Advanced testing of ICT tools, systems and processes based on TLPT
DORA
16.13: Conduct Application Penetration Testing
CIS 18
Art. 13.2.2: Mesures internes de sécurité graduelles
Loi infrastructures critiques
See all related requirements and other information from tasks own page.
Go to >
Assessments for defining the scope for threat-led penetration testing (TLPT)
TLPT tester requirements
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

Article 27: Requirements for testers for the carrying out of TLPT
DORA
See all related requirements and other information from tasks own page.
Go to >
TLPT tester requirements
Personnel support for chosen resilience testing operations
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

Article 25: Testing of ICT tools and systems
DORA
See all related requirements and other information from tasks own page.
Go to >
Personnel support for chosen resilience testing operations
Separation of critical environments
Critical
High
Normal
Low
Technical vulnerability management
8
requirements

Examples of other requirements this task affects

13.1.3: Segregation in networks
ISO 27001
PR.AC-5: Network integrity
NIST
8.22: Segregation of networks
ISO 27001
2.3.1: Establish centrally managed practices for security updates
NSM ICT-SP
12.8: Establish and Maintain Dedicated Computing Resources for All Administrative Work
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Separation of critical environments
Authorized users and rules for installing software and libraries
Critical
High
Normal
Low
Technical vulnerability management
15
requirements

Examples of other requirements this task affects

12.6.2: Restrictions on software installation
ISO 27001
SUM-02: Keeping licensed software up to date
Cyber Essentials
DE.CM-5: Unauthorized mobile code detection
NIST
TEK-17: Muutoshallintamenettelyt
Julkri
8.19: Installation of software on operational systems
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Authorized users and rules for installing software and libraries
Anticipating capacity-related problems
Critical
High
Normal
Low
Technical vulnerability management
13
requirements

Examples of other requirements this task affects

11.2.2: Supporting utilities
ISO 27001
12.1.3: Capacity management
ISO 27001
PR.DS-4: Availability
NIST
TEK-22: Tietojärjestelmien saatavuus
Julkri
8.6: Capacity management
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Anticipating capacity-related problems
Regular vulnerability scanning
Critical
High
Normal
Low
Technical vulnerability management
38
requirements

Examples of other requirements this task affects

12.6.1: Management of technical vulnerabilities
ISO 27001
18.2.3: Technical compliance review
ISO 27001
14.2.8: System security testing
ISO 27001
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Omavalvontasuunnitelma
MWP-02: Automatic file scan by anti-malware software
Cyber Essentials
See all related requirements and other information from tasks own page.
Go to >
Regular vulnerability scanning
Initial treatment of identified technical vulnerabilities
Critical
High
Normal
Low
Technical vulnerability management
20
requirements

Examples of other requirements this task affects

12.6.1: Management of technical vulnerabilities
ISO 27001
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
RS.AN-5: Vulnerability management process
NIST
RS.MI-3: New vulnerability mitigation
NIST
See all related requirements and other information from tasks own page.
Go to >
Initial treatment of identified technical vulnerabilities
Selecting and tracking data sources for vulnerability information
Critical
High
Normal
Low
Technical vulnerability management
12
requirements

Examples of other requirements this task affects

I23: Ohjelmistohaavoittuvuuksien hallinta
Katakri
12.6.1: Management of technical vulnerabilities
ISO 27001
DE.CM-8: Vulnerability scans
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
8.8: Management of technical vulnerabilities
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Selecting and tracking data sources for vulnerability information
Ohjelmistohaavoittuvuuksien säännöllinen tarkastelu (ST IV)
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

I23: Ohjelmistohaavoittuvuuksien hallinta
Katakri
See all related requirements and other information from tasks own page.
Go to >
Ohjelmistohaavoittuvuuksien säännöllinen tarkastelu (ST IV)
Ohjelmistohaavoittuvuuksien säännöllinen tarkastelu (ST III-II)
Critical
High
Normal
Low
Technical vulnerability management
1
requirements

Examples of other requirements this task affects

I23: Ohjelmistohaavoittuvuuksien hallinta
Katakri
See all related requirements and other information from tasks own page.
Go to >
Ohjelmistohaavoittuvuuksien säännöllinen tarkastelu (ST III-II)
Regular penetration testing
Critical
High
Normal
Low
Technical vulnerability management
23
requirements

Examples of other requirements this task affects

12.6.1: Management of technical vulnerabilities
ISO 27001
14.2.8: System security testing
ISO 27001
18.2.3: Technical compliance review
ISO 27001
DE.CM-8: Vulnerability scans
NIST
5.36: Compliance with policies, rules and standards for information security
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Regular penetration testing
Automating the handling of technical vulnerabilities
Critical
High
Normal
Low
Technical vulnerability management
5
requirements

Examples of other requirements this task affects

RS.AN-5: Processes are established to receive, analyse, and respond to vulnerabilities disclosed to the organization from internal and external sources.
CyberFundamentals
2.3.1: Establish centrally managed practices for security updates
NSM ICT-SP
7.7: Remediate Detected Vulnerabilities
CIS 18
Article 34: ICT operations security
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Automating the handling of technical vulnerabilities
Prioritization of identified technical vulnerabilities and remediation goals
Critical
High
Normal
Low
Technical vulnerability management
9
requirements

Examples of other requirements this task affects

4.1: Tietojärjestelmien tietoturvallisuus
TiHL tietoturvavaatimukset
3.1.1: Conduct regular vulnerability assessments
NSM ICT-SP
40.(1): Ievainojamību atklāšana un novēršana
NIS2 Latvia
40.(2): Neaizsargātību novēršanas grafiks
NIS2 Latvia
18.3: Remediate Penetration Test Findings
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Prioritization of identified technical vulnerabilities and remediation goals
Defining metrics related to vulnerability management
Critical
High
Normal
Low
Technical vulnerability management
4
requirements

Examples of other requirements this task affects

39: Koordinēta ievainojamību atklāšana
NIS2 Latvia
16.2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities
CIS 18
Art. 24.2.e.2: Sicurezza dell'acquisizione
NIS2 Italy
See all related requirements and other information from tasks own page.
Go to >
Defining metrics related to vulnerability management
Hardening of virtual machines utilized in cloud service offering
Critical
High
Normal
Low
Technical vulnerability management
2
requirements

Examples of other requirements this task affects

CLD 9.5.2: Virtual machine hardening
ISO 27017
16.7: Use Standard Hardening Configuration Templates for Application Infrastructure
CIS 18
See all related requirements and other information from tasks own page.
Go to >
Hardening of virtual machines utilized in cloud service offering
Regular testing of the vulnerability management process
Critical
High
Normal
Low
Technical vulnerability management
8
requirements

Examples of other requirements this task affects

DE.DP-3: Detection processes testing
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
I-19: TIETOJENKÄSITTELY-YMPÄRISTÖN SUOJAUS KOKO ELINKAAREN AJAN – OHJELMISTOHAAVOITTUVUUKSIEN HALLINTA
Katakri 2020
DE.DP-3: Detection processes are tested.
CyberFundamentals
RS.AN-5: Processes are established to receive, analyse, and respond to vulnerabilities disclosed to the organization from internal and external sources.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Regular testing of the vulnerability management process
Säännöllinen kattava haavoittuvuusskannaus (TL IV)
Critical
High
Normal
Low
Technical vulnerability management
2
requirements

Examples of other requirements this task affects

TEK-19.1: Ohjelmistohaavoittuvuuksien hallinta
Julkri
I-19: TIETOJENKÄSITTELY-YMPÄRISTÖN SUOJAUS KOKO ELINKAAREN AJAN – OHJELMISTOHAAVOITTUVUUKSIEN HALLINTA
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Säännöllinen kattava haavoittuvuusskannaus (TL IV)
Säännöllinen kattava haavoittuvuusskannaus (TL III)
Critical
High
Normal
Low
Technical vulnerability management
2
requirements

Examples of other requirements this task affects

TEK-19.2: Ohjelmistohaavoittuvuuksien hallinta - TL III
Julkri
I-19: TIETOJENKÄSITTELY-YMPÄRISTÖN SUOJAUS KOKO ELINKAAREN AJAN – OHJELMISTOHAAVOITTUVUUKSIEN HALLINTA
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Säännöllinen kattava haavoittuvuusskannaus (TL III)
Maintaining system hardening
Critical
High
Normal
Low
Technical vulnerability management
2
requirements

Examples of other requirements this task affects

TEK-10.2: Järjestelmäkovennus - kovennusten varmistaminen koko elinkaaren ajan
Julkri
I-08: VÄHIMMÄISTOIMINTOJEN JA VÄHIMPIEN OIKEUKSIEN PERIAATE – JÄRJESTELMÄKOVENNUS
Katakri 2020
See all related requirements and other information from tasks own page.
Go to >
Maintaining system hardening
Regular analysis and utilization of information related to information security threats
Critical
High
Normal
Low
Technical vulnerability management
16
requirements

Examples of other requirements this task affects

5.7: Threat intelligence
ISO 27001
23: Häiriöiden- ja poikkeamienhallintaprosessi
Digiturvan kokonaiskuvapalvelu
THREAT-2: Respond to Threats and Share Threat Information
C2M2
Article 13: Learning and evolving
DORA
3.3.4: Obtain and process threat information from relevant sources
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Regular analysis and utilization of information related to information security threats
Monitoring of technical vulnerability communications
Critical
High
Normal
Low
Technical vulnerability management
5
requirements

Examples of other requirements this task affects

50: Teknisten haavoittuvuuksien seuranta
Digiturvan kokonaiskuvapalvelu
THREAT-1: Reduce Cybersecurity Vulnerabilities
C2M2
9.3 §: Tietojärjestelmien hankinta ja kehittäminen
Kyberturvallisuuslaki
Article 34: ICT operations security
DORA simplified RMF
See all related requirements and other information from tasks own page.
Go to >
Monitoring of technical vulnerability communications
Regular monitoring of the vulnerability management process
Critical
High
Normal
Low
Technical vulnerability management
18
requirements

Examples of other requirements this task affects

12.6.1: Management of technical vulnerabilities
ISO 27001
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
8.8: Management of technical vulnerabilities
ISO 27001
See all related requirements and other information from tasks own page.
Go to >
Regular monitoring of the vulnerability management process
Consideration of threat intelligence findings in the information security risk management process
Critical
High
Normal
Low
Technical vulnerability management
6
requirements

Examples of other requirements this task affects

5.7: Threat intelligence
ISO 27001
3.3.4: Obtain and process threat information from relevant sources
NSM ICT-SP
ID.IM-02: Improvements from security tests and exercises
NIST 2.0
Article 31: ICT risk management
DORA simplified RMF
Art. 13.2.2: Mesures internes de sécurité graduelles
Loi infrastructures critiques
See all related requirements and other information from tasks own page.
Go to >
Consideration of threat intelligence findings in the information security risk management process
Sharing threat intelligence
Critical
High
Normal
Low
Technical vulnerability management
16
requirements

Examples of other requirements this task affects

5.7: Threat intelligence
ISO 27001
77: Menettely toimintaympäristön seuraamiseen
Digiturvan kokonaiskuvapalvelu
THREAT-2: Respond to Threats and Share Threat Information
C2M2
Article 45: Information-sharing arrangements on cyber threat information and intelligence
DORA
DE.CM-8: Vulnerability scans are performed.
CyberFundamentals
See all related requirements and other information from tasks own page.
Go to >
Sharing threat intelligence
Monitoring the use of the available capacity
Critical
High
Normal
Low
Technical vulnerability management
4
requirements

Examples of other requirements this task affects

A1.1: Evaluation of current processing capacity
SOC 2
4.1: Tietojärjestelmien tietoturvallisuus
TiHL tietoturvavaatimukset
3.2.5: Verify that the monitoring is working as intended
NSM ICT-SP
See all related requirements and other information from tasks own page.
Go to >
Monitoring the use of the available capacity

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Start free trial
Get to know Cyberday
Start your free trial
Cyberday is your all-in-one solution for building a secure and compliant organization. Whether you're setting up a cyber security plan, evaluating policies, implementing tasks, or generating automated reports, Cyberday simplifies the entire process.
With AI-driven insights and a user-friendly interface, it's easier than ever to stay ahead of compliance requirements and focus on continuous improvement.
Clear framework compliance plans
Activate relevant frameworks and turn them into actionable policies tailored to your needs.
Credible reports to proof your compliance
Use guided tasks to ensure secure implementations and create professional reports with just a few clicks.
AI-powered improvement suggestions
Focus on the most impactful improvements in your compliance with help from Cyberday AI.
Effortless compliance improvement
Widest framework library in EU
Extensive support

Start your compliance journey

Use in MS Teams or use your browser with Slack integration.
Risk free trial. No credit card required. Stop at any time.

Start free 14-day trial
Book a meeting
How it works?
SummarySecurity tasks and assuranceDocumentation workflowsEmployee guidelinesReporting templates
Use cases
By frameworkAll frameworksISO 27001NIS2 directiveNIST CSFCSA CCMISO 27701GDPRISO 27017ISO 27018
By methodCyber risk managementEmployee awarenessCompliance reportingControl managementAsset managementPrivacy managementVendor assessments
Resources
AcademyWebinarsBlogHelp articlesVideo coursesContent libraryGuidesNewsletterLeave a reviewPartner programTeamTerms of usePrivacy policy
Contact us
+358 10 231 6010
team@cyberday.ai
App works in:
Known in Finland as Digiturvamalli
© Cyberday Inc. Kalevantie 2 33100 Tampere, Finland
Cyberday.ai - Improve and certify your cyber security