psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
881b2bf2bcd7b1053d66f58e0fb522118a672f19
ISMS/01-policies/vulnerability-and-patch-management-policy.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.3 KiB
Raw Blame History

Title: Vulnerability and Patch Management Policy Document ID: [POL-VULN-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Vulnerability and Patch Management Policy

Purpose

This policy defines BlackDice's expectations for identifying, assessing, prioritising, remediating, and tracking vulnerabilities and security patches.

Scope

This policy applies to applications, cloud infrastructure, containers, Kubernetes components, endpoints, dependencies, and third-party software within the ISMS scope.

Objectives

  • reduce exposure to known vulnerabilities
  • apply patches and remediation actions within risk-based timeframes
  • maintain visibility of unresolved security weaknesses

Principles / Policy Statements

BlackDice must maintain processes to identify vulnerabilities affecting in-scope systems and services.

Vulnerabilities and missing security patches must be assessed according to business context, exploitability, exposure, and potential impact.

Production-facing cloud workloads, externally exposed services, CI/CD components, and identity systems should receive prioritised remediation attention.

Where immediate remediation is not possible, compensating controls, formal risk acceptance, or time-bound exceptions must be considered and recorded.

Remediation activity must be tracked to closure and supported by appropriate evidence.

Roles and Responsibilities

  • [Role] must oversee vulnerability management requirements.
  • System and service owners must remediate issues affecting their assets.
  • Management must support prioritisation where remediation requires planned change or resource allocation.

Compliance / Exceptions

Deferred remediation must be justified, recorded, approved where required, and reviewed until closure.

Monitoring and Review

This policy should be monitored through vulnerability reporting, patch timeliness, exception tracking, incidents, and audit findings.

Related Documents

  • Information Security Policy
  • Vulnerability Management Procedure
  • Patch Management Procedure
  • Secure Configuration Standard

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink