Patch management is the systematic process of identifying, acquiring, testing, and deploying software updates and security patches across an organisation's IT infrastructure. It addresses known vulnerabilities in operating systems, applications, firmware, and middleware that could be exploited by attackers if left unpatched, making it one of the most fundamental and cost-effective security controls available.
A mature patch management programme includes vulnerability scanning to identify missing patches, a risk-based prioritisation process for deployment, testing in staging environments before production rollout, and documented rollback procedures. Regulatory frameworks including NIS2, ISO 27001, and PCI DSS all require timely patching, with critical vulnerabilities typically expected to be remediated within days rather than weeks.