Every day you delay patching a known security hole, you're leaving your front door unlocked for attackers. A manufacturing business in Pune lost ₹8 lakhs in 2023 when their accounting software wasn't patched for 3 weeks—attackers got in, stole customer bank details, and customers stopped doing business with them. Regulatory audits (like for DPDP compliance) will mark you down or fail you if you can't show fast patch management. Your insurance may not cover a breach if you ignored a patch that was available for months.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no process for installing updates at all. When a vendor releases a patch, it either never gets installed or gets installed randomly whenever someone remembers, sometimes months later.
Initial
You install updates when your computers start crashing or when you notice something is very slow. There's no planned schedule, and critical security patches are mixed in with regular updates without priority.
Developing
You have a basic list of systems that need patching and you try to install updates monthly. You know which updates are security-related, but you don't have a formal process for emergency patches when a critical hole is announced.
Defined
You have a written patch management policy that says critical security patches must be installed within 2 weeks and emergency patches within 48 hours. You test patches on one computer first before rolling them out, and you track what's been patched in a simple spreadsheet.
Managed
You use automated tools to check for patches daily, test them in a separate environment, and deploy them on a fixed schedule for routine patches and within 1 week for critical ones. You keep a detailed log of every patch, its date, and what each one fixed.
Optimised
You have a fully automated patch management system integrated with your IT security team. Patches are tested automatically, deployed to systems based on risk level, and you have real-time visibility into patch status across all systems. Out-of-band emergency patches can be deployed within hours if needed.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | List all your critical systems (main server, accounting software, email, customer database, etc.) and designate one person to check Microsoft/software vendor websites once a month for security updates. Create a simple reminder in your calendar. | IT person or business owner | 1 day |
| 1 → 2 | Create a one-page patch management policy document stating that critical security updates will be installed within 2 weeks and normal updates within 1 month. Subscribe to vendor security mailing lists (Microsoft Security Update Guide, etc.) so you get notifications automatically instead of checking manually. | IT person with approval from owner | 3-4 days |
| 2 → 3 | Set up a test environment (even a spare laptop or virtual machine) where you install patches first before rolling out to live systems. Document your testing process and create a patch log spreadsheet or notebook with columns: Date, System, Patch Name, Critical/Non-Critical, Testing Result, Date Deployed, Who Deployed It. | IT person | 2-4 weeks |
| 3 → 4 | Deploy patch management software (Patch My PC, WSUS for Windows environments, or similar) that automatically scans for missing patches and helps schedule deployments. Integrate it with your patch log so deployment is tracked automatically instead of manually. | IT person with vendor support if needed | 1-2 months |
| 4 → 5 | Integrate patch management with your security incident response plan. Set up automated alerts when critical vulnerabilities are announced, establish an on-call process for emergency patches, and do quarterly testing of emergency patch deployment procedures. Share patch status reports with leadership monthly. | IT security lead or consultant | Ongoing quarterly reviews and maintenance |
Documents and records that prove your maturity level.
- Written patch management policy document with timelines for critical vs. routine patches
- Patch log or register showing date each patch was released, date tested, date deployed to each system, and who did the work
- Evidence of patch testing (notes on test system results before deploying to production)
- Subscription confirmations or email proof that you receive vendor security update notifications
- Screenshot or report from patch management tool showing current patch status across all systems
Prepare for these questions from customers or third-party reviewers.
- "Show me your documented patch management policy. What's the maximum time you allow before installing a critical security patch?"
- "Walk me through your patch log for the last 6 months. For each critical patch, when was it released, when did you test it, and when did you deploy it?"
- "Take me to your test environment. How do you ensure patches work before deploying them to systems your business depends on?"
- "If Microsoft released a critical security update today, what would happen in your organization? Who would be notified and by when would it be installed?"
- "How do you stay informed about new security patches? Show me proof you receive notifications from your software vendors."
| Purpose | Free Option | Paid Option |
|---|---|---|
| Automatically scan for missing Windows patches and deploy them on schedule | Windows Server Update Services (WSUS) - built into Windows, requires setup; Patch My PC Community Edition - free but limited to 10 computers | Patch My PC Professional: ₹15,000-25,000/year; Intune (Microsoft 365): ₹3,000-5,000 per device/year |
| Get instant notifications when new security vulnerabilities are announced by vendors | Microsoft Security Update Guide (website); CERT-In portal (cert-in.org.in); Ubuntu Security Notices (for Linux); vendor mailing lists | SecurityTracker or other advisory services: ₹50,000-100,000/year |
| Track and log all patches applied with dates, status, and results | Google Sheets template or LibreOffice Calc; notepad-based log | Jira or Monday.com: ₹5,000-20,000/year; enterprise tools like ServiceNow: ₹500,000+/year |
- Thinking 'we'll patch it next month' - by then, attackers have likely already exploited the hole if they know about it. Critical patches should be installed within days, not weeks.
- Installing patches during business hours without warning, causing system downtime and angry customers. Plan patches for after-hours or weekends and always notify users in advance.
- Patching only the main server and forgetting about older computers, printers, or branch office systems. A forgotten laptop on your network is just as much a security risk as the main server.
- Not testing patches before deploying them. A bad patch can crash your system. Always test on one non-critical machine first.
- Believing that you need expensive enterprise tools to manage patches. Many Indian MSMEs start with free tools (WSUS, spreadsheets) and grow into paid solutions as they scale.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Principle of Security) - requires processing of personal data in a secure manner; Section 10 (Grievance Redressal) - organizations must respond to security breaches |
| CERT-In Guidelines | Directions on Cybersecurity Practices 2022 - mandates timely patching and vulnerability management for all organizations |
| ISO 27001:2022 | Annex A 8.1.1 (Information security policies), A.8.1.3 (Segregation of duties), A.8.1.4 (Access review), Clause 6.1 (Risk Assessment) - implies need for patch management in risk mitigation |
| NIST CSF 2.0 | Govern (GV.RO Risk Oversight), Identify (ID.AM Asset Management), Protect (PR.PS Patch/Update Management) - specifically includes vulnerability and patch management |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →