Patch Management is the process of acquiring, testing, and deploying software updates to fix vulnerabilities and bugs. Vendors release patches when they discover security flaws; organizations must apply them before attackers exploit the vulnerabilities. Delays in patching are a leading cause of successful attacks.
An effective program includes monitoring for new patches, assessing applicability and urgency, testing in non-production environments, scheduling deployment windows, verifying successful installation, and tracking exceptions for systems that cannot be patched immediately.
CISSP Relevance
Patch management appears in Domain 7 (Security Operations) as a critical operational control. Understand patching processes, prioritization based on vulnerability severity and exploitability, testing requirements, and how to handle systems that cannot be patched (compensating controls). Know that unpatched systems are low-hanging fruit for attackers.
CISA guidance on patching is at Known Exploited Vulnerabilities Catalog.
Related terms: Vulnerability Assessment, Change Management