nerdexam
(ISC)2

CISSP · Question #1438

Which of the following is the BEST way to determine the success of a patch management process?

The correct answer is B. Auditing and assessment. Determining the success of a patch management process requires auditing and assessment to verify that patches were applied correctly, completely, and within compliance requirements.

Submitted by andres_qro· Mar 5, 2026Security Operations

Question

Which of the following is the BEST way to determine the success of a patch management process?

Options

  • AAnalysis and impact assessment
  • BAuditing and assessment
  • CConfiguration management (CM)
  • DChange management

How the community answered

(26 responses)
  • A
    8% (2)
  • B
    77% (20)
  • C
    12% (3)
  • D
    4% (1)

Why each option

Determining the success of a patch management process requires auditing and assessment to verify that patches were applied correctly, completely, and within compliance requirements.

AAnalysis and impact assessment

Analysis and impact assessment is a pre-patch activity used to evaluate the potential effects of applying a patch before deployment, not a post-process measurement of success.

BAuditing and assessmentCorrect

Auditing and assessment directly measure the effectiveness of a patch management process by verifying patch compliance rates, confirming that patches were successfully deployed across all systems, and identifying any gaps or failures in the patching cycle. This provides quantifiable metrics and evidence that the process is working as intended, making it the best method for evaluating success.

CConfiguration management (CM)

Configuration management tracks and controls the state of IT assets and their configurations but does not specifically measure whether the patch management process achieved its goals.

DChange management

Change management is the process used to control and approve changes (including patches) before they are made, but it does not evaluate the outcome or success of the patching process after the fact.

Concept tested: Evaluating patch management process effectiveness through auditing

Source: https://www.nist.gov/publications/guide-enterprise-patch-management-planning-preventive-maintenance-technology

Topics

#patch management#security auditing#process assessment

Community Discussion

No community discussion yet for this question.

Full CISSP Practice