An organization has a policy that all servers must have security patches applied within 30 days of release. Which of the following is the best practice for patching?
Testing validates patches without impacting production services.
Why this answer
Option C is correct because testing patches in a non-production environment first allows the organization to identify compatibility issues, performance regressions, or conflicts with existing software before risking production systems. This aligns with the change management principle of validating changes in a controlled setting, ensuring that the 30-day patching deadline can be met without introducing instability. Skipping testing (A) or applying patches simultaneously (B) could lead to widespread outages, while only applying critical patches (D) would leave the organization exposed to non-critical vulnerabilities that could be chained in an attack.
Exam trap
ISC2 often tests the misconception that 'all patches must be applied immediately' or that 'critical patches are the only priority,' but the trap here is that candidates overlook the necessity of a controlled testing phase to prevent production outages, even when a strict 30-day deadline exists.
How to eliminate wrong answers
Option A is wrong because skipping patches that have not been widely tested leaves the organization vulnerable to known exploits, and the policy requires all patches to be applied within 30 days, not just widely tested ones. Option B is wrong because applying patches to all servers simultaneously can cause cascading failures if a patch introduces a bug, and it violates the principle of staggered rollouts to maintain service availability. Option D is wrong because only applying critical patches ignores the policy's requirement for all security patches, and non-critical patches often address vulnerabilities that can be leveraged in multi-stage attacks (e.g., privilege escalation).