Patch compliance dashboards are the most dangerous metric in cybersecurity. A 98% patch rate creates board-level confidence while leaving the most critical gaps untouched. Misconfigurations, default credentials, excessive permissions, and zero-day exposures carry no vendor patch. They never appear on the patching dashboard. They account for the majority of breach vectors [Verizon 2024 DBIR].
Patch management addresses one category of weakness: vendor-released software updates. Vulnerability management addresses the full attack surface, including the gaps no patch exists to close. SOC 2 CC7.1 requires continuous monitoring of both categories [AICPA TSC CC7.1]. Organizations presenting only patch deployment logs receive findings for incomplete vulnerability identification.
The distinction is operational, not semantic. Patching is a deployment workflow. Vulnerability management is a risk reduction lifecycle encompassing identification, prioritization, remediation (patching included), and verification. Auditors verify evidence from both programs independently.
Vulnerability management is the continuous process of identifying, assessing, prioritizing, and remediating all security weaknesses across infrastructure, including misconfigurations, weak authentication, and zero-day exposures. Patch management is a subset focused on deploying vendor-released software updates. Both programs are required separately under SOC 2 CC7.1/CC7.3, HIPAA 164.308(a)(5)/(a)(8), and PCI DSS v4.0.1 Req. 6.3.1/6.3.3 [AICPA TSC CC7.1, CC7.3].
Vulnerability Management: The Full Attack Surface
Vulnerability management covers every weakness in your environment, not only those with vendor patches. The 2024 Verizon DBIR found that 68% of breaches involved a non-malicious human element (phishing, misuse, or error), and many of these weaknesses carry no vendor patch [Verizon 2024 DBIR]. The process includes software vulnerabilities, infrastructure misconfigurations, weak credentials, excessive permissions, and architectural flaws. Auditors verify the cycle runs without gaps.
The Five-Phase Lifecycle
Every vulnerability management program follows five phases. Auditors verify evidence from each phase during the observation period.
| Phase | Action | Audit Evidence |
|---|---|---|
| 1. Identification | Scan systems weekly (external) and monthly (internal) | Scan reports with timestamps [AICPA TSC CC7.1] |
| 2. Assessment | Score severity using CVSS and EPSS | Risk analysis documentation [HIPAA 164.308(a)(1)(ii)(A)] |
| 3. Prioritization | Rank by exploit availability and asset criticality | Risk-based decision framework [PCI DSS v4.0.1 Req. 6.3.1] |
| 4. Remediation | Patch, reconfigure, or apply compensating controls | Remediation tickets with SLA timelines |
| 5. Verification | Re-scan to confirm the fix closed the vulnerability | Closed-loop audit trail [AICPA TSC CC7.3] |
The 2024 Verizon Data Breach Investigations Report found 14% of breaches involved vulnerability exploitation as the initial access vector [Verizon 2024 DBIR]. The five-phase cycle catches weaknesses a patch-only approach misses entirely.
What Patch Management Does Not Cover
Vulnerability management handles three categories outside the scope of patching. First: misconfigurations. An S3 bucket with public read access, a firewall rule allowing inbound SSH from 0.0.0.0/0, or TLS 1.0 still enabled on a production endpoint. No vendor releases a patch for these. Second: weak credentials. Default admin passwords, shared service accounts, and API keys stored in plaintext configuration files. Third: zero-day vulnerabilities where no patch exists and compensating controls (network segmentation, WAF rules, feature disabling) are the only available response.
The audit fix. Implement a vulnerability scanner (Nessus, Qualys, or Rapid7) with authenticated scanning enabled. Schedule external-facing scans weekly and internal infrastructure scans monthly. Configure the scanner to flag misconfigurations and weak credentials alongside software vulnerabilities. Store every scan report in a dedicated compliance folder with date-stamped filenames. This creates the continuous monitoring evidence trail SOC 2 CC7.1 requires [AICPA TSC CC7.1].
Patch Management: Vendor Updates Only
Patch management is the operational process of identifying, testing, and deploying vendor-released software updates. Microsoft alone releases approximately 1,000 security patches per year. BleepingComputer’s Patch Tuesday roundup for 2024 tracked roughly 1,009, averaging 84 per month. Patches address known bugs, security vulnerabilities, and performance issues in operating systems and applications. The scope is narrower: patch management waits for vendors to release fixes, then deploys them within defined SLAs.
NIST Patching Timelines
NIST SP 800-40 Rev. 4 (“Guide to Enterprise Patch Management Planning,” April 2022) provides risk-based patching planning principles that organizations use to build SLAs [NIST SP 800-40 Rev. 4]. Common practice, informed by those principles and CISA BOD 22-01 federal benchmarks, sets critical patches at 48 hours for internet-facing systems and 30 days for internal systems. These figures represent industry-standard SLA targets, not literal NIST-prescribed timelines. These timelines apply to vendor-released patches only. Vulnerabilities without patches fall outside the scope of patch management entirely.
Where Patch Management Stops
Patch management processes respond to vendor bulletins. When Microsoft releases a Patch Tuesday update, patch management tests and deploys it. When a zero-day hits a production system before the vendor releases a fix, patch management has nothing to deploy. The team waits. Vulnerability management fills the gap by implementing compensating controls: disabling the affected feature, restricting network access to the vulnerable system, or deploying WAF rules to block known exploit patterns.
The audit fix. Document your patch management SLAs in your Information Security Policy. Define three tiers: Critical (CVSS 9.0-10.0) remediated within 48 hours for internet-facing systems, High (CVSS 7.0-8.9) remediated within 7 days, and Medium (CVSS 4.0-6.9) remediated within 30 days. Track deployment success rates monthly. Export patch compliance reports showing percentage of systems meeting SLA targets. Auditors request these reports as standalone evidence separate from vulnerability scans. PCI DSS v4.0.1 Req. 6.3.3 requires critical patches installed within one month for in-scope systems [PCI DSS v4.0.1 Req. 6.3.3].
The Audit Comparison: Side by Side
Auditors evaluate vulnerability management vs patch management as separate programs with separate evidence requirements. Presenting patch logs when asked for vulnerability scan reports creates a finding. The two programs differ across every audit dimension: ownership, tooling, evidence format, and success metrics.
| Factor | Vulnerability Management | Patch Management |
|---|---|---|
| Scope | All weaknesses: software, config, architecture, credentials | Vendor-released software updates only |
| Trigger | Continuous scanning on schedule | Vendor patch release |
| Output | Risk reports, remediation plans, trending metrics | Deployment logs, compliance rates |
| Zero-Day Response | Compensating controls until patch available | Waits for vendor fix |
| Audit Evidence | Scan reports, risk assessments, closed tickets | Patch deployment reports, SLA compliance |
Patch management is a subset of vulnerability management, not a replacement. Every patch deployment addresses a vulnerability, but most vulnerabilities require remediation beyond patching.
The audit fix. Create separate folders in your compliance evidence repository: one labeled “Vulnerability Management” containing scan reports, risk assessments, and remediation tickets, and one labeled “Patch Management” containing deployment logs and SLA compliance reports. When your auditor requests CC7.1 evidence, provide both folders. Separate evidence demonstrates you operate two distinct programs rather than one relabeled process.
Why Does Patching Alone Fail SOC 2 and HIPAA Audits?
Organizations running patch management without a vulnerability management program fail two specific audit checkpoints. Both failures produce findings appearing in the final SOC 2 report or HHS corrective action plan.
Failure 1: Missing Vulnerability Scanning Evidence
The organization patches monthly using WSUS or SCCM. Auditors request quarterly vulnerability scan reports. The organization has none. SOC 2 CC7.1 requires documented evidence of continuous monitoring for security vulnerabilities [AICPA TSC CC7.1]. HIPAA 164.308(a)(8) requires periodic technical evaluation of security controls [HIPAA 164.308(a)(8)]. Patch deployment logs do not satisfy either requirement.
Failure 2: No Risk-Based Prioritization
Patch management deploys every update vendors release, treating a cosmetic UI fix with the same urgency as a remotely exploitable authentication bypass. Auditors verify risk-based decision-making: documented criteria for why certain vulnerabilities receive immediate attention while others follow standard timelines. PCI DSS v4.0.1 Req. 6.3.1 requires a process to identify and rank newly discovered security vulnerabilities based on risk [PCI DSS v4.0.1 Req. 6.3.1]. Deploying all patches equally demonstrates process, not judgment.
The Zero-Day Gap
Auditors test for this scenario specifically: “Show me your procedure for vulnerabilities without available patches.” Organizations relying solely on patch management have no documented response. Vulnerability management addresses the gap through compensating controls: network segmentation isolating the vulnerable system, WAF rules blocking known exploit patterns, or feature disabling until the vendor releases a fix. Implement the compensating control under NIST SP 800-53 Rev. 5 SI-2 (Flaw Remediation) and document the plan for permanent remediation as a POA&M item [NIST SP 800-53 Rev. 5 SI-2; CA-5]. Documenting these compensating controls and the risk acceptance decision creates the evidence auditors need.
The audit fix. Add a “Zero-Day Response Procedure” section to your Information Security Policy. Define three steps: (1) the vulnerability management team assesses the vulnerability using CVSS base score and EPSS exploitation probability, (2) the team implements compensating controls documented in a risk treatment ticket, and (3) the team monitors for vendor patch release and transitions from compensating controls to permanent remediation within 48 hours of patch availability. This procedure closes the audit gap for vulnerabilities without patches.
Framework Requirements: Both Programs Required Separately
All four major compliance frameworks (SOC 2, HIPAA, PCI DSS 4.0, and ISO 27001) distinguish between vulnerability identification and software update deployment with separate control numbers. Operating one program without the other creates audit findings. Each framework assigns separate control numbers to vulnerability identification and software update deployment.
| Framework | Vulnerability Management | Patch Management |
|---|---|---|
| SOC 2 | CC7.1: Monitoring for vulnerabilities [AICPA TSC CC7.1] | CC7.3: Change and update procedures [AICPA TSC CC7.3] |
| HIPAA | 164.308(a)(8): Periodic evaluation [HIPAA 164.308(a)(8)] | 164.308(a)(5)(ii)(B): Protection from malicious software [HIPAA 164.308(a)(5)(ii)(B)] |
| PCI DSS 4.0 | Req. 6.3.1: Identify and rank vulnerabilities [PCI DSS v4.0.1 Req. 6.3.1] | Req. 6.3.3: Deploy critical security patches within one month [PCI DSS v4.0.1 Req. 6.3.3] |
| ISO 27001 | A.8.8: Technical vulnerability management [ISO 27001:2022 A.8.8] | A.8.19: Software installation control [ISO 27001:2022 A.8.19] |
The audit fix. Map your vulnerability management program to CC7.1 (SOC 2) or 164.308(a)(8) (HIPAA) in your control matrix. Map your patch management program to CC7.3 (SOC 2) or 164.308(a)(5)(ii)(B) (HIPAA) as a separate line item. When your auditor reviews the control matrix, two distinct rows with separate evidence folders demonstrate operational separation. A single row labeled “Vulnerability and Patch Management” invites questions about whether you treat these as one program.
Patch management fixes what vendors tell you to fix. Vulnerability management finds everything else. Organizations running only patch management operate with partial visibility into their attack surface. Build the scanning program first. Let scan results drive the patching priority. Auditors verify both programs independently: separate evidence folders, separate SLAs, separate control mappings. One program without the other creates a finding every time.
Frequently Asked Questions
What is the difference between vulnerability management and patch management?
Vulnerability management is the continuous process of identifying, assessing, prioritizing, and remediating all security weaknesses, including misconfigurations, weak credentials, and zero-day exposures. Patch management is a subset focused on deploying vendor-released software updates. Vulnerability management covers the full attack surface; patch management addresses only known software flaws with available fixes [AICPA TSC CC7.1, CC7.3].
Do I need both programs if I deploy patches regularly?
Regular patch deployment addresses only vendor-released software fixes. Misconfigurations, default credentials, excessive permissions, and architectural flaws require vulnerability scanning to detect and separate remediation processes to resolve. SOC 2 CC7.1 requires documented vulnerability identification separate from patching procedures [AICPA TSC CC7.1]. Operating one program without the other produces audit findings.
How do auditors verify the difference between these programs?
Auditors request separate evidence packages. For vulnerability management, they ask for scan reports from tools like Nessus or Qualys, risk assessments, and remediation tickets with closure dates. For patch management, they ask for deployment logs, SLA compliance rates, and exception documentation. Missing either evidence set creates a finding in the final report.
What happens when no patch exists for a critical vulnerability?
Vulnerability management handles zero-day exposures through compensating controls: network segmentation isolating the vulnerable system, WAF rules blocking known exploit patterns, or disabling the affected feature until the vendor releases a fix. Patch management has no response for this scenario. Implement the compensating control per NIST SP 800-53 Rev. 5 SI-2 (Flaw Remediation) and document the permanent remediation plan as a POA&M item (CA-5). Auditors specifically test for a documented zero-day response procedure [NIST SP 800-53 Rev. 5 SI-2; CA-5].
What remediation SLAs should I document?
Define three tiers: Critical (9.0-10.0) remediated within 48 hours for internet-facing systems, High (7.0-8.9) remediated within 7 days, and Medium (4.0-6.9) remediated within 30 days. Document these thresholds in your Information Security Policy. Track SLA compliance monthly and report exceptions to management. PCI DSS v4.0.1 Req. 6.3.1 requires a documented risk-ranking process for newly discovered vulnerabilities; Req. 6.3.3 requires critical patches installed within one month for in-scope systems [PCI DSS v4.0.1 Req. 6.3.1; Req. 6.3.3].
Which vulnerability scanner should I use?
Nessus (Tenable), Qualys VMDR, and Rapid7 InsightVM are the three enterprise scanners that dominate audit evidence, and all three produce reports auditors universally accept. The differentiator is authenticated scanning: configure the scanner with service account credentials to detect misconfigurations and weak permissions beyond surface-level port scanning. Industry studies report the credentialed-scan detection delta ranges from 30-80% depending on environment; configure authenticated scans and the difference becomes visible in your first run.
Subscribe to The Authority Brief for next week’s analysis.
