Patch Management Best Practices for Canadian Organizations — Baseline Control BC.2

What Patch Management Means

Patch management is the process of identifying, acquiring, testing, and installing software updates (patches) on your organization's systems and applications. These patches fix security vulnerabilities, correct bugs, and sometimes add new features. The Canadian Centre for Cyber Security (CCCS) designates patch management as BC.2 in its 13 Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089), reflecting how fundamental timely patching is to preventing cyberattacks.

This page summarizes what the CCCS recommends for patch management. It is educational content based on publicly available government guidance and is not professional cybersecurity advice. For your specific situation, consult a qualified professional. You can also take our free assessment to evaluate your organization across all 13 controls.

What the Canadian Centre for Cyber Security Recommends

The CCCS Baseline Controls (ITSM.10.089) recommend that organizations establish a patch management process to keep all operating systems, applications, and firmware up to date. The guidance emphasizes several key practices:

Enable Automatic Updates Where Possible

For most small and medium organizations, enabling automatic updates is the most effective way to stay current with security patches. Modern operating systems including Windows, macOS, and Linux distributions provide built-in automatic update mechanisms. The CCCS recommends enabling these features on all systems and configuring them to install updates promptly rather than deferring them indefinitely.

Automatic updates are especially important for:

• Operating systems (Windows, macOS, Linux, Chrome OS)
• Web browsers (Chrome, Firefox, Edge, Safari)
• Email clients
• Productivity software (office suites, PDF readers)
• Mobile device operating systems and applications

Prioritize Critical and High-Severity Patches

Not all patches carry equal urgency. The CCCS recommends prioritizing patches based on severity, with critical vulnerabilities — particularly those being actively exploited in the wild — applied as soon as possible. Vendor severity ratings (such as Microsoft's "Critical" classification or the Common Vulnerability Scoring System) help organizations determine which patches need immediate attention versus those that can follow a regular maintenance schedule.

Maintain an Asset Inventory

You cannot patch what you do not know about. The CCCS recommends maintaining an inventory of all hardware and software assets in your organization. This includes workstations, servers, mobile devices, network equipment, cloud services, and all installed software. An accurate inventory ensures that no system is overlooked when patches are released.

Patch Third-Party Software

Operating system patches receive the most attention, but third-party applications are frequently targeted by attackers. Web browsers, browser plugins, PDF readers, Java, media players, and other commonly installed software all require regular patching. The CCCS guidance makes clear that patching must extend to all software, not just the operating system.

Address End-of-Life Software

Software that has reached end-of-life (EOL) no longer receives security updates from its vendor. Running EOL software means that any newly discovered vulnerabilities will remain permanently unpatched. The CCCS recommends identifying and replacing end-of-life software as a priority. Common examples include older versions of Windows, unsupported versions of server software, and legacy business applications.

Why This Matters for Canadian Businesses

Unpatched software is one of the most common attack vectors used by cybercriminals. When a vendor releases a security patch, the associated vulnerability becomes public knowledge. Attackers routinely scan for systems running unpatched software and exploit known vulnerabilities to gain access. The window between patch release and exploitation can be very short — sometimes measured in hours for critical vulnerabilities.

For Canadian SMBs, the consequences of running unpatched systems can include:

• Ransomware infections — Many ransomware campaigns exploit known, patched vulnerabilities in systems where the patch was never applied.
• Data breaches — Unpatched vulnerabilities can allow attackers to access sensitive customer data, employee records, or financial information, potentially triggering breach notification obligations under PIPEDA.
• Business disruption — Compromised systems often need to be taken offline for investigation and remediation, causing operational downtime.
• Supply chain risk — Larger organizations increasingly require their suppliers and partners to demonstrate basic cybersecurity hygiene, including timely patching.

The CCCS Baseline Controls position patch management as one of the highest-impact actions an organization can take to reduce its attack surface. Paired with anti-malware protection (BC.3) and secure configuration (BC.4), a consistent patching practice addresses a substantial portion of common threats.

How to Get Started

Implementing effective patch management does not require specialized tools for most small organizations. Here are practical steps to get started:

• Inventory your systems and software. Create a spreadsheet or list of every device (computers, servers, routers, printers, mobile devices) and every software application used in your organization. Note the vendor, current version, and whether auto-updates are enabled.
• Enable automatic updates everywhere possible. Turn on automatic updates for operating systems, browsers, and applications on all devices. For most SMBs, the benefits of automatic patching far outweigh the minimal risk of an update causing a problem.
• Check for updates weekly. For software that does not support automatic updates, establish a weekly routine to check for and install available patches. Assign this responsibility to a specific person.
• Prioritize critical patches. When critical security patches are released — particularly for actively exploited vulnerabilities — apply them as soon as possible rather than waiting for your regular maintenance window.
• Identify end-of-life software. Review your inventory for any software that is no longer supported by its vendor. Plan a migration path to a supported alternative. If immediate replacement is not feasible, isolate the system and implement compensating controls.
• Include firmware. Routers, firewalls, printers, and other network devices run firmware that also needs updating. Check your network equipment vendors' websites for firmware updates on a quarterly basis at minimum.
• Document your process. Write down your patch management procedures, including who is responsible, how often updates are checked, and how critical patches are handled. This documentation supports your overall incident response planning (BC.1).
• Consider centralized patch management tools. As your organization grows, tools such as Windows Server Update Services (WSUS), Microsoft Intune, or third-party patch management solutions can help manage updates across multiple devices efficiently.

To evaluate your current patch management practices alongside the other 12 baseline controls, take the free assessment.

Common Mistakes to Avoid

Based on the CCCS guidance and common patterns in Canadian organizations, here are frequent patch management mistakes:

• Deferring updates indefinitely. Clicking "Remind me later" on update notifications is one of the most common ways systems fall behind on patches. Configure automatic updates to install without requiring user action whenever possible.
• Patching only operating systems. Third-party applications such as browsers, PDF readers, and plugins are targeted just as frequently as operating systems. All software needs to be kept current.
• Not knowing what is on your network. Without an asset inventory, you cannot be confident that all systems are patched. Shadow IT — unauthorized software or devices introduced by employees — is a particular risk for SMBs.
• Ignoring end-of-life software. Running software past its end-of-life date is a growing risk that only gets worse over time. Every new vulnerability discovered after EOL becomes a permanent exposure.
• Forgetting network devices. Routers, switches, firewalls, and even printers run software that needs patching. These devices are often overlooked because they do not prompt users for updates the way desktop software does.
• Treating patching as a one-time task. Patch management is an ongoing process. New vulnerabilities are discovered daily, and new patches are released on a continuous basis. It requires a sustained, repeatable routine.

Frequently Asked Questions

See below for answers to common questions about patch management for Canadian organizations. For a comprehensive evaluation of your cybersecurity posture, take our free cybersecurity assessment.