CM-13 Change Management

Patch Management

Security patches are applied timely and risk-prioritised.

Domain: Change Management
Control type: Preventive
Automated / manual: Hybrid
Frequency: Per cycle
Framework reference: MAS Cyber Hygiene; MAS TRM

What good looks like

Patches are assessed, prioritised, tested and applied within SLA; exceptions tracked.

Risk if it fails

Exploitation of known vulnerabilities.

How Tess tests it

4 tests — each concludes only on cited evidence.

Patch policy with severity-based SLAs

Design

Procedure: Inspect the policy.
Expected: SLAs defined by severity.
Sample: 1 (design inspection)
Evidence: Patch reports, vulnerability scans, exception register.

Critical patches applied within SLA

Operating

Procedure: Sample patches.
Expected: Applied within SLA.
Sample: 2–3
Evidence: Patch reports, vulnerability scans, exception register.

Patches tested before broad rollout

Operating

Procedure: Inspect testing evidence.
Expected: Tested prior to rollout.
Sample: 2–3
Evidence: Patch reports, vulnerability scans, exception register.

Deferred items tracked and risk-accepted

Operating

Procedure: Inspect the exception register.
Expected: Tracked and accepted.
Sample: 2–3
Evidence: Patch reports, vulnerability scans, exception register.

Evidence Tess looks for

Patch reports, vulnerability scans, exception register.

More in Change Management

CM-01 Change Management Policy CM-02 Change Request & Documentation CM-03 Change Authorisation CM-04 Testing / UAT Before Production

Want Tess to test CM-13 against your evidence?