Document Classification: Internal

Version: 1.0

Kashmir Power Distribution Corporation Limited

Standard Operating Procedure – Patch Management
Version: 1.0
Document No.: KPDCL/ISMS/SOP-
Initial effective date:
New effective date (post review)

Copyright:
This document is the exclusive property of KPDCL, and its contents must not be communicated
to unauthorized persons or person outside the company without written consent from the CISO.
Document Classification: Internal
Version: 1.0

0: Document Control

0.1: Version History:

Sr. Date Version Description of change Owner Approved by

No
1 V1.0 Initial Release KPDCL CISO

0.2: Authorization:

Prepared by Reviewed By Approved By (Apex Committee)

Empanelled Consultants: IT Manager
Essential Infosec Pvt. Ltd.

0.3: Distribution List:

Sr. No Department or Function Name Distribution Medium

1 IT Email

Copyright:
This document is the exclusive property of KPDCL, and its contents must not be communicated
to unauthorized persons or person outside the company without written consent from the CISO.
Document Classification: Internal
Version: 1.0

1. Purpose

The purpose of this SOP is to establish a systematic approach to managing patches for
software, firmware, and hardware within KPDCL's information systems, ensuring the timely
application of patches to mitigate security vulnerabilities and comply with ISO 27001-2022
standards.

2. Scope

This SOP applies to all information systems, including hardware, software, and firmware,
owned or operated by KPDCL, and to all employees, contractors, and third-party service
providers responsible for managing and maintaining these systems.

3. Responsibilities

 Patch Management Team: Responsible for overseeing the patch management process,
including identification, assessment, testing, deployment, and verification of patches.
 Information Security Officer (ISO): Oversees the overall compliance of patch management
procedures with ISO 27001-2022 standards.
 System Administrators: Responsible for implementing patches on information systems and
ensuring those systems remain up-to-date.
 Vendors and Suppliers: Responsible for providing patches for their products in a timely
manner and communicating patch-related information to KPDCL.

4. Patch Management Process

4.1 Patch Identification

 The Patch Management Team monitors various sources, including vendor notifications,
security advisories, and vulnerability databases, to identify available patches.
 Identified patches are assessed for relevance and potential impact on KPDCL's information
systems.

4.2 Patch Assessment

 The Patch Management Team conducts a risk assessment to evaluate the severity and
potential impact of vulnerabilities addressed by the patches.
 The team assesses the compatibility of patches with KPDCL's existing systems and
infrastructure.

4.3 Patch Testing

 Prior to deployment, patches are tested in a controlled environment to ensure compatibility,

functionality, and stability.
 Testing procedures include verifying that the patches do not introduce new vulnerabilities or
adversely affect system performance.

Copyright:
This document is the exclusive property of KPDCL, and its contents must not be communicated
to unauthorized persons or person outside the company without written consent from the CISO.
Document Classification: Internal
Version: 1.0

4.4 Patch Deployment

 Approved patches are deployed according to a predefined schedule or urgency level,

considering factors such as severity of vulnerabilities and criticality of affected systems.
 Patch deployment may be scheduled during maintenance windows to minimize disruption to
operations.

4.5 Patch Verification

 After deployment, the Patch Management Team verifies that patches have been successfully
applied and systems remain operational.
 Verification may include conducting post-deployment testing and monitoring for any
anomalies or issues.

4.6 Patch Documentation and Reporting

 All patch-related activities, including identification, assessment, testing, deployment, and

verification, are documented and maintained as records.
 Patch management reports are generated regularly to provide insights into patching
activities, including compliance status and effectiveness of patch management processes.

5. Patch Rollback

 In the event of patch-related issues or failures, procedures for rollback are established to
restore affected systems to a stable state.
 Rollback procedures include identifying and removing problematic patches, restoring system
backups if necessary, and implementing corrective actions.

6. Training and Awareness

 Regular training sessions and awareness programs are conducted to educate employees
about the importance of patch management and their roles and responsibilities in the
process.

7. Compliance and Continuous Improvement

 The Patch Management SOP is periodically reviewed and updated to ensure compliance with
ISO 27001-2022 standards and organizational requirements.
 Lessons learned from patch management activities and security incidents are incorporated
into the process for continuous improvement.

8. References

 ISO/IEC 27001:2022 - Information security management systems - Requirements

 KPDCL Information Security Policy
 Relevant regulatory requirements and industry best practices

Copyright:
This document is the exclusive property of KPDCL, and its contents must not be communicated
to unauthorized persons or person outside the company without written consent from the CISO.