Azure Patching priority

Luke Wheat 21 Reputation points

Good Morning Everyone,

For the Australian users, is there a direct translation between the Azure patching priority (Critical, Security, Others) to the ISM Patching timeline, that is either: patched in 48 hours if a known vulnerability exists, patched within 2 weeks, or patched within the month.

One could argue critical need to be applied within 48 hours, Security within 2 weeks and Others within a month, but am wondering if MS has provided guidance on this rather than making assumptions.



Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,790 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alistair Ross 7,101 Reputation points Microsoft Employee

    Hello anonymous userWheat-6808, our compliance documentation in the services trust portal is where you can find this information. You can download the Microsoft Azure Security Fundamentals and Cloud Services Assessment Report 2020 - Annex A - ISM Control Findings which details the patching controls mapped to ISM controls

    Microsoft's Azure services use CVSS 3.0 to assign vulnerability severity. Low, Moderate, and High/Critical are the three severity ratings used. As a minimum, baseline technologies must be pathed in a 30-day cycle. High and critical vulnerabilities are addressed in an Emergency Out of Band Cloud Critical process where mitigating action is taken prior to the application of final patches and fixes.

0 additional answers

Sort by: Most helpful