HomeGuidesInfrastructure Security › APS-03
APS-03 Infrastructure Security 12% of OML score

Are business applications kept up to date with security patches?

Do you regularly install security updates and patches for the software your business uses (ERP, accounting software, email, CRM, etc.)? This question asks whether you have a system to keep these applications current with the latest security fixes that vendors release.

Why This Matters to Your Business

Hackers actively exploit known vulnerabilities in outdated software—if you're running an old version of your accounting or billing application, criminals can break in without needing advanced skills. A textile exporter in Tamil Nadu lost ₹45 lakhs when attackers exploited an unpatched accounting software vulnerability, accessed customer invoices, and redirected payments to fake accounts. Without patching discipline, you also fail compliance audits (required for GST registration and ISO certification), face customer rejection (large buyers now ask for security statements), and risk operational shutdown if ransomware exploits an old vulnerability and locks your data.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You have no record of when applications were last updated, and staff apply patches randomly or not at all when notifications appear. Your IT person (or vendor) has no documented process, and critical applications may be running versions from 2-3 years ago.

Level 1
Initial

You've identified which business applications you run and asked your IT person or vendor when each was last patched, but there's no formal schedule or checklist. Updates happen when someone remembers or when a vendor calls, and you sometimes delay because 'the system is working fine.'

Level 2
Developing

You have a written list of all business applications with documented patch dates (even if in a simple Excel sheet), and you've set a rough schedule to check for updates monthly. Your IT person tracks major patches but may miss critical security-only updates that don't seem 'urgent.'

Level 3
Defined

You have a documented patch management policy stating that critical security patches are applied within 30 days of release, important patches within 60 days, and a test environment where patches are validated before production. Your IT person or vendor follows this schedule and keeps monthly records showing what was patched and when.

Level 4
Managed

Your patch management process is formalized in writing, integrated with your change management procedure, and includes a testing checklist to ensure patches don't break business functions. You track metrics monthly (% of critical patches applied on time), review them in management meetings, and have a contingency plan if a patch causes problems.

Level 5
Optimised

Patch management is fully automated where possible (e.g., auto-updates enabled on servers, with controlled rollout in stages), your IT team receives automated alerts for new vendor CVEs (security announcements) relevant to your software, and quarterly reviews compare your patch status against industry benchmarks. You've trained staff to report any application misbehavior immediately after updates.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Inventory all business applications (ERP, accounting, email, CRM, antivirus, firewalls, etc.) and note the vendor name and current version number. Contact each vendor's support to ask when the last security update was released and whether your version is still supported. IT person or office manager 2–3 days
1 → 2 Create a simple spreadsheet listing each application, its version, the last patch date, and when the next patch check is due (e.g., 1st of each month). Define 'critical' (security patches), 'important' (feature patches), and 'low' (cosmetic updates). Assign one person to check the vendor website or support portal for new patches every month. IT person with approval from office manager 1 week
2 → 3 Write a one-page Patch Management Policy document stating: (a) critical patches must be applied within 30 days, (b) important patches within 60 days, (c) all patches are tested on a non-production machine first (if budget allows), (d) staff are notified before planned downtime, and (e) a record is kept in the spreadsheet. Get the owner or manager to sign and date this policy. IT person drafts, manager approves 2–3 weeks
3 → 4 Integrate patch management into a basic change control process: create a simple form for each patch (what it fixes, tested on which date, applied on which date, any issues). Track compliance monthly (e.g., 'Applied 12 of 13 critical patches on time this month'). Review metrics with the manager every quarter and adjust timelines if needed. Document any patch-related failures and how they were resolved. IT person maintains records, manager reviews quarterly 1–2 months
4 → 5 Enable automatic patching for operating systems and non-critical applications (where safe). Set up email alerts from vendor security advisories or use a free vulnerability scanner to detect outdated software weekly. Schedule a quarterly review comparing your patch age against industry standards (e.g., CERT-In advisories). Provide staff with a one-page guide on what to do if they notice an application behaving oddly after an update. IT person implements and monitors continuously Ongoing (5–10 hours per month)
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Spreadsheet or document listing all business applications, versions, and last patch dates
  • Written Patch Management Policy signed by owner/manager, stating patch timelines (critical, important, low priority)
  • Monthly patch check log (e.g., 'January 2024: Checked Tally on 5th, no new patches; checked QuickBooks on 5th, applied v23.1.5')
  • Change control records for each critical or important patch (what was patched, test results, application date, any rollback needed)
  • Compliance metrics summary (e.g., quarterly report showing '95% of critical patches applied within SLA')
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Show me your list of business applications and when each was last patched. Can you prove the dates?"
  • "Do you have a documented policy for how quickly you apply security patches? What are the timelines?"
  • "If a critical security vulnerability is announced by the vendor or CERT-In, how long would it take you to apply the fix?"
  • "How do you test patches before applying them to your live system? Who approves patch installation?"
  • "Have you ever experienced a security incident due to an outdated application? What did you do about it?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Track and alert on new security vulnerabilities in software you use NVD (National Vulnerability Database, nvd.nist.gov) - search manually; Snyk Open Source (snyk.io) - scans code and dependencies; CERT-In website (cert-in.org.in) - Indian advisories Qualys VMDR (₹4–6 lakhs/year for small organizations); Rapid7 InsightVM (₹3–8 lakhs/year)
Scan your systems to detect outdated software versions and missing patches OpenVAS (open-source vulnerability scanner); Nessus Essentials (free, limited to 16 IPs) Nessus Professional (₹50,000–80,000/year); Qualys (₹4–6 lakhs/year)
Manage and automate patch deployment across servers and endpoints Windows Server Update Services (WSUS) for Microsoft updates; apt/yum for Linux systems; vendor-specific auto-update features Microsoft Intune (₹2,500–5,000 per device/year); ManageEngine Patch Manager Plus (₹1.5–3 lakhs/year for 50–100 devices)
🛡
How This Makes You More Resilient
When patches are applied promptly, attackers cannot use known vulnerabilities to break into your systems—this blocks a major attack pathway and reduces the odds of ransomware, data theft, or payment fraud. Your business continues running without unplanned shutdowns caused by exploits, and you avoid the ₹10-50 lakh costs of incident response and recovery. Customers and auditors trust you more because you demonstrate basic security discipline.
⚠️
Common Pitfalls in India
  • Vendors in India sometimes stop supporting older software versions but don't announce it clearly; your business keeps using unsupported software because the vendor never explicitly said 'this version is now vulnerable.' Check the vendor's official support matrix document every year.
  • Limited IT budget leads businesses to skip patches for months, assuming 'if it's not broken, don't fix it.' In reality, the vulnerabilities are already known to hackers, and you're just waiting to be exploited. Patch management costs ₹0–₹50,000/year but a breach costs ₹10–50 lakhs.
  • Patches sometimes break older business functions (e.g., a Tally upgrade breaks a third-party plugin). Fear of this leads to indefinite delays. Instead, test patches on a cheap second machine or container first; a ₹20,000 test setup is far cheaper than a breach.
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (Security of Personal Data): organizations must implement and maintain reasonable security practices, which includes keeping systems patched
CERT-In 2022 Directions on cybersecurity practices, item 6: 'Install security patches and updates on a timely basis'
ISO 27001:2022 Annex A, 8.2.1 (System and communications protection): regular patching is part of configuration and vulnerability management
NIST CSF 2.0 Govern (GV.RO-02 and GV.RM-03): patch management supports supply chain and IT asset governance; Protect (PR.MA-02): systems are kept up to date

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →