Enable Automatic Patching

Automatic patching is the process of configuring systems to automatically download and apply security updates without human intervention. It is required for CyberSecure Canada compliance because it ensures known vulnerabilities are mitigated quickly, significantly reducing the risk of a successful cyberattack.

Organizations can learn how to enable automatic updates on Windows and macOS through native operating system settings or Group Policies. For a business environment, it is best to use centralized endpoint management or dedicated patch management tools to enforce updates across operating systems and third-party applications simultaneously.

CyberSecure Canada requires the automatic patching scope to include all software and hardware where possible. This encompasses servers, employee laptops and desktops, tablets, mobile phones, and all network equipment products such as routers and firewalls.

It is acceptable to use manual patching when software or hardware is inherently incapable of automatic updates. It is also permissible when an organization performs a risk analysis and determines that automatic patching could cause unacceptable disruption to critical business functions, requiring a controlled patching schedule.

Organizations must document exceptions to automatic patching in an exception log or risk register, clearly stating the business justification for the decision. This documentation must be accompanied by manual patching process documentation that details how these excepted systems will be kept secure. Tools like WatchDog Security's Risk Register can link each exception to an approved risk treatment plan, while WatchDog Security's Compliance Center can store the exception log and patching SOP as audit-ready evidence.

A robust patch management policy template should mandate automatic patching by default, outline the process to document exceptions to automatic patching, and define a clear patching schedule and maintenance window policy for managing required manual updates safely. Tools like WatchDog Security's Policy Management can help maintain the policy with version control and acceptance tracking, and WatchDog Security's Compliance Center can map it to CyberSecure Canada 5.2.2.2 and flag missing evidence.

If automatic updates are disabled, organizations must execute a business process to ensure regular manual updates. Industry best practice typically demands that manual patching for critical security vulnerabilities occurs within 14 days or less of the patch release.

To prove patch compliance for audits, organizations should provide configuration screenshots demonstrating that auto-updates are enabled, compliance reports from centralized management platforms, and deployment logs or change management tickets proving that manual patching occurs regularly. Tools like WatchDog Security's Compliance Center can centralize these reports and screenshots with control mappings, and WatchDog Security's Vulnerability Management can track remediation timelines (e.g., MTTR) to show patches are applied promptly.

Common patching risks include updates causing software incompatibility or system downtime. Organizations can handle this by implementing a vulnerability and patch management procedure that requires deploying updates to a small test group first, maintaining backups, and creating a clear rollback plan in case of failure.

Software and hardware that have reached end-of-life no longer receive security patches from the vendor, making automatic and manual patching impossible. Organizations must perform a risk assessment to determine whether to replace these legacy systems or isolate them completely from the network.

Exception handling is part of the control: you need a consistent record of which assets are excluded from auto-updates, why, who approved it, and how manual updates are performed and verified. Tools like WatchDog Security's Risk Register can link each exception to an approved risk treatment plan, and WatchDog Security's Compliance Center can store the exception log and manual patching SOP as mapped, audit-ready evidence.

Patching performance is easiest to demonstrate when you can tie vulnerabilities and updates to specific assets and show how quickly remediation occurs. Tools like WatchDog Security's Vulnerability Management can track remediation workflows and MTTR analytics, while WatchDog Security's Asset Inventory helps ensure endpoints, servers, and network devices are in scope and consistently reported.