Unpatched computers are like unlocked doors—hackers use known security flaws to enter and steal customer data, financial records, or hold your systems for ransom. A Chennai export company lost ₹40 lakhs when ransomware hit their unpatched accounting servers, shutting down operations for a week. Customers and regulators (like CERT-In and RBI auditors) now expect you to prove you patch regularly; without it, you fail compliance audits and lose client contracts. One breach can cost more than years of software maintenance.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal update process; computers update randomly when someone notices or they crash. Staff complain that computers are slow and some still run Windows 7 or old macOS versions.
Initial
You manually remind people to update their laptops every few months, but there is no tracking of whether they actually did it. Some machines still have critical updates pending from weeks ago.
Developing
You have set Windows/Mac automatic updates to turn on, and you check once a month whether updates were applied. Most machines are current, but you have no documented record to show an auditor.
Defined
You maintain a spreadsheet or simple log of all computers, their OS versions, and last update date. Updates are set to auto-install and you verify compliance monthly, addressing any stragglers immediately.
Managed
You use a centralized patch management tool to deploy updates automatically across all computers and generate monthly compliance reports. You also document a policy that explains how and when patches are tested and rolled out.
Optimised
You have an automated patch management system integrated with your IT infrastructure, with staged testing, automatic rollout, and real-time monitoring. You maintain audit-ready reports, track patch status per machine, and conduct quarterly reviews with the IT team.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Send an email to all staff asking them to turn on automatic updates on their laptops (Settings > Update & Security on Windows; System Preferences > Software Update on Mac). Document the date you sent the email. | IT person or office manager | 1 day |
| 1 → 2 | Create a simple spreadsheet with columns for computer name, OS type, OS version, and last update date. Check each machine in person or via remote access once a month and update the sheet. Ensure automatic updates are enabled on all machines. | IT person | 1 week (initial) + 2 hours/month ongoing |
| 2 → 3 | Formalize your patch management process in a one-page policy document stating: which devices need updates, update schedule (e.g., first Tuesday of each month), how non-compliant machines are handled, and who is responsible. Brief all staff. Keep signed acknowledgment forms. | IT person + manager | 2-4 weeks |
| 3 → 4 | Implement a patch management tool (e.g., WSUS for Windows or Jamf for Mac) that can push updates to multiple machines at once and generate reports automatically. Train the IT person on its use. Integrate with your monthly compliance checks. | IT person or external IT consultant | 1-2 months |
| 4 → 5 | Review and enhance your patch management tool's capabilities; set up staged rollout (test on a few machines first, then roll to all), enable real-time alerting for non-compliant machines, integrate with antivirus alerts, and conduct quarterly policy reviews with leadership to adjust based on new threat landscape. | IT person + IT governance committee | Ongoing (quarterly reviews + 1-2 hours/week monitoring) |
Documents and records that prove your maturity level.
- Monthly patch compliance report listing all devices, OS versions, and update dates (spreadsheet or tool-generated)
- Written patch management policy document signed and dated by IT lead and business owner
- Email or notification logs showing automatic update notifications sent to all staff
- Screenshot or tool report showing patch deployment history (e.g., from WSUS, Jamf, or patch management tool dashboard)
- Incident log or record showing action taken when a device was found non-compliant (e.g., 'Server X missing 5 patches—IT notified user on [date], patched on [date]')
Prepare for these questions from customers or third-party reviewers.
- "Can you show me a list of all computers in your organization and their current OS version and patch status?"
- "How often do you check that operating system updates have been applied? Can you provide records from the last three months?"
- "What is your policy if a computer is found to be missing critical security updates? How long do you allow before it must be patched?"
- "Do you have evidence that automatic updates are enabled on company computers? Can you demonstrate this on a sample machine?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Deploy Windows patches centrally across multiple computers and track compliance | Windows Server Update Services (WSUS)—built into Windows Server; requires on-premises server or cloud setup | Microsoft Intune—₹200–400/device/year; Ivanti Patch Manager—₹50,000–200,000/year depending on scale |
| Manage Mac updates and compliance across your organization | Jamf Now (free tier limited to 3 devices); open-source tools like Munki | Jamf Pro—₹15,000–50,000/year; Apple Business Manager (free, requires Jamf or similar for full management) |
| Track all devices and their patch status in a simple spreadsheet-based system | Google Sheets or LibreOffice Calc with manual monthly updates | Lansweeper (asset management with patch tracking)—₹30,000–100,000/year; Tanium (enterprise)—₹200,000+/year |
| Monitor and alert when updates are pending or failed on any device | Built-in OS notifications (Windows Update, macOS Software Update) | SolarWinds Patch Manager—₹150,000–500,000/year; Qualys VMDR—₹200,000+/year |
| Generate compliance reports for auditors automatically | Google Forms + Sheets (manual data collection); Excel with VBA macros | Rapid7 InsightVM—₹300,000+/year; ManageEngine Patch Manager Plus—₹50,000–200,000/year |
- Assuming automatic updates are turned on—many Indian small businesses buy computers without checking update settings, leaving systems vulnerable for months until an incident occurs.
- Delaying patches due to 'fear of breaking things'—skipping critical security updates because you worry an update will crash a payment system or accounting software is extremely common and leads to data breaches.
- Only patching new machines and forgetting old ones—many MSMEs patch their main server but leave older desktops and laptops unpatched because 'nobody important uses them,' not realizing hackers use these as entry points.
- No documented process—running a business where 'the IT person knows what to do' means when that person leaves or is unavailable, patch management stops and systems drift into non-compliance.
- Using pirated OS that cannot receive updates—some small businesses run unlicensed Windows 7 or old software that Microsoft no longer updates, making them permanently vulnerable.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8(1) and Schedule 2—requires organizations to implement 'reasonable security measures' including patch management to protect personal data |
| CERT-In 2022 Guidelines | Section 4.1—explicit requirement to 'deploy patches and updates promptly' for all systems and software |
| ISO 27001:2022 | Annex A.14.2.1 (System Change Management) and A.14.2.5 (Access restriction for change); Control 6.5 on patch and vulnerability management |
| NIST CSF 2.0 | Govern Function (GV.RO-04: Data security roles and responsibilities); Protect Function (PO.IP-03: Information and Technology Assets are managed throughout their lifecycle) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →