Skip Ribbon Commands
Skip to main content

10 Steps to Successful Patch Management Framework


By Artu r Ganc Consultant, CISM - Information Security Framework in Finance Industri

Hackers can easily exploit known vulnerabilities. Even though many companies are familiar with this risk, many still tend to down-prioritize mitigation and even ignore regulative demands and industry specific standards.

By implementing a complete patch management framework you significantly reduce the risk of a security breach and your organization will improve IT operations.

The positive spin-offs are typically seen in associated areas such as ITIL processes, roles and responsibilities, tools and culture. The latter refers primarily to the misconception that information security is a matter only IT department should be concerned with.

This NNIT Security Insights article presents an overall 10-step checklist for a sound patch management framework. It excludes the prerequisites for a successful implementation.  


What is Patch Management?

Updates for firmware, middleware and applications are constantly being developed in order to either fix security vulnerabilities and other bugs, or to improve usability and performance.

Patch management is the process of using a strategy and associated plan to ensure that the right updates are installed at the right time. The definition of right time is based on the update’s importance for stability and security versus business needs that demand the least amount of disturbance to both internal and external stakeholders. 

Patch Management Framework Checklist

The Framework should include all the auxiliary components surrounding the actual patching. The more mature the company is, the more components may be added. 

Some components may be part of a different framework or topic e.g. lifecycle management, which is fine as long as a review is made that also takes the added requirements related to patch management into consideration. 

Companies differ in terms of needs, readiness and culture, so I recommend that you instead begin with assessing your current and desired state for each component and focus on the ones with largest gap and that can add the most value to your company. 

  1. Information Security Policy that contains senior management’s decision of the overall guiding principles that may affect other components in the framework e.g. which regulations, standards, and business requirement to follow.

  2. Risk classification to ensure a proper prioritization and protection level. This information is the basis for designing and optimizing your IT infrastructure, access management etc. When it comes to patching, it should be used to determine the update frequency and severity.

  3. System Hardening that easily explained deals with removing every service and role that is not required for a particular system. The less running services there are, the fewer patches are needed and the less vulnerable the item is. This is also related to license management and application white and black list.

  4. Dispensation governance that describes a controlled process for deviation from patching. This also includes risk assessment and alternative controls.

  5. Internal and external monitoring of vulnerabilities. The external monitoring is typically carried out by receiving feeds from vendors or other acknowledged sources that identify new vulnerabilities and rank them regarding impact criticality.

  6. Commissioning governance that ensures configuration items are identified, registered, updated with all relevant policies and SW and included in the patch maintenance cycle from the start.

  7. Decommissioning governance that ensures proper settings/clean-up in Active Directory (AD), the CMDB, monitoring systems, compliance reporting etc. Moreover, ensuring that the item cannot be turned back on unnoticed.

  8. General patch procedures that contain a well-described maintenance cycle, which is used to plan service windows and gives input to reporting. The patch procedure must be adapted to the change management process including the emergency change process.

  9. Specific patch instructions used by the actual technician in the operations department.

  10. Reporting & KPI hierarchy with relevant indicators for all key stakeholders.


About NNIT Security Insights

NNIT Security Insights is a regular column where prominent NNIT IT security advisors share their thoughts on current and future IT security challenges and how to deal with them.

NNIT has its own Computer Emergency Response Team (CERT). If lightning strikes, we have the necessary competencies in-house to respond and assist. We have also developed a range of services that can help businesses to achieve the right level of security protection to protect the business from financial and reputational damage. 

You are welcome to contact us at or visit us if you want to know more about how NNIT can help your business increase its information security level.





Helge Skov Djernes+45 3075 8868 hfsd@nnit.comInformation Security Management Consultant Skov Djernes



NNIT Security Insights Security Insights
Risky Business? Business?
​Ransomware 101​Ransomware 101
Cybersecurity Awareness – The First Line of Defense​ Awareness – The First Line of Defense​
The Fine Art of Aligning Business Strategy and Information Security Strategy Fine Art of Aligning Business Strategy and Information Security Strategy
​Privacy – why it is worth fighting for​Privacy – why it is worth fighting for
​The C.I.A. of application security!​The C.I.A. of application security!
Migrate to Cloud Services without Jeopardizing Security and Compliance to Cloud Services without Jeopardizing Security and Compliance
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​​​​Building a sustainable defence: How to secure your operational technology (OT) environment​
How to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime? to Keep Industrial Computer Systems (ICS/SCADA) Running in an Age of Cybercrime?