Patch Management Procedure
Document Number: ISMS-PROC-BYOD-02
Version: 0.1.0
Parent Policy: BYOD Security Policy (ISMS-POL-BYOD-01)
Author: Lucas Shin — Security Director
Last Modified: February 18, 2026
1. Purpose
This procedure defines how OS and application vulnerabilities are identified, monitored, and remediated on BYOD devices. It combines automated enforcement (Intune + Conditional Access) with a compensating manual control (Updatest) to achieve continuous patch compliance.
2. Automated Patch Management Process
| Step | Process Details | Technical Control |
|---|---|---|
| 1. Inventory | Deploy business apps via VPP and define them as 'Managed Apps' | Apple VPP + Intune |
| 2. Visibility | Collect real-time information on device OS versions and managed app vulnerabilities | Intune Compliance Engine |
| 3. Setting Standards | Set the latest security patch (N-1) as the minimum compliance standard | Compliance Policy |
| 4. Automatic Enforcement | Block access to all internal assets via Conditional Access when standards are not met | Entra ID Conditional Access |
| 5. Patch Execution | Blocked users patch directly via system updates or Updatest | Updatest / OS Software Update |
| 6. Evidence Capture | Automatically records the transition history to 'Compliant' after patch completion | Intune Compliance Report |
3. Platform-Specific Patch Management
3.1 macOS (MacBook, Mac Mini)
- OS Updates: Intune monitors OS version against Compliance Policy (N-1 minimum). Non-compliant devices are blocked via CA.
- Managed Apps: VPP-deployed apps (Teams, Outlook, Edge) are auto-updated via Intune.
- Non-managed Apps: User maintains updates via Updatest app and submits weekly screenshot evidence.
- Enforcement: Access to all SaaS applications is blocked if OS/app updates are not current.
3.2 iOS / iPadOS
- OS Updates: Same as macOS — Intune monitors, CA blocks if non-compliant.
- Managed Apps: Auto-updated via VPP.
- Non-managed Apps: User is responsible; Updatest evidence required.
3.3 Android
- OS Updates: Intune monitors security patch level via Work Profile.
- Managed Apps: Deployed and updated within Work Profile via Managed Google Play.
- Non-managed Apps: Outside Work Profile — user responsibility; Updatest evidence required.
4. Compensating Control: Updatest
Updatest is a compensating control for applications outside Intune/VPP management scope (personal apps that could introduce vulnerabilities).
4.1 Limitations
- Updatest relies on user action — not automated enforcement
- Screenshots can theoretically be forged — low assurance level
- Accepted as compensating control for ISO 27001 (risk-based, not prescriptive) but not sufficient for ACSC E8 ML2
4.2 User Responsibility
- Run the Updatest app every Friday before end of work
- Perform
Update All - Take a screenshot showing all apps are up to date
- Upload the screenshot to the designated security channel (Teams)
5. Operational Routine
5.1 User Routine (Every Friday)
- Run Updatest →
Update All - Screenshot showing current status
- Upload to designated Teams security channel
5.2 Administrator Routine
| Frequency | Action | Owner |
|---|---|---|
| Daily | Monitor Intune dashboard for 'Non-compliant' devices | Lucas |
| Weekly | Verify all employees have submitted Updatest screenshots; follow up with those who haven't | Lucas |
| Quarterly | Export and archive Intune compliance reports to SharePoint | Lucas |
6. Escalation Procedure (Non-compliance)
| Timeline | Action | Mechanism |
|---|---|---|
| Day 0 | Automated email warning sent to user | Intune Compliance Policy (Actions for noncompliance) |
| Day 0 | Access to M365 and SaaS automatically blocked | Entra ID Conditional Access |
| Day 7 (unresolved) | Security Director escalates to CISO | Manual report via email or Teams |
7. Evidence Retention
| Evidence Type | Retention Period | Storage Location |
|---|---|---|
| Intune Compliance Reports | Minimum 12 months (exported quarterly) | SharePoint |
| Updatest Screenshots | Minimum 12 months | Teams security channel |
| Conditional Access Logs | Default 30 days in Entra ID; exported quarterly for long-term | SharePoint |
8. Periodic Review
- Quarterly: Review patch management process effectiveness, escalation outcomes, evidence completeness
- Annually: Formal management review as part of ISO 27001 ISMS cycle — assess whether controls remain adequate and identify improvement actions
[End of Procedure]