topic Reporting patching and vulnerability metrics in Governance, Risk, Compliance https://community.isc2.org/t5/Governance-Risk-Compliance/Reporting-patching-and-vulnerability-metrics/m-p/89270#M1473 <P>I'm interested in how others are handling patching metrics.&nbsp;We currently report patching using:<BR /><BR /></P><UL><LI>% endpoints missing critical/important patches outside a 14-day SLA (aligned to UK Cyber Essentials), and</LI><LI>total high/critical vulnerabilities aged &gt;14 days.</LI></UL><P>The idea was to show both patching coverage and the depth of exposure.</P><P>&nbsp;</P><P>This has worked pretty well historically, but over the last 6 months we’ve been rolling out new laptops and have hit some patching issues. As a result, we’ve now got ~16% of devices outside SLA, and they’re missing multiple patch cycles, which is driving a big spike in vulnerability counts.</P><P>&nbsp;</P><P>I’m starting to get some pressure internally that the metrics are either too harsh or don’t reflect operational performance properly.&nbsp;I still think they’re right from an infosec risk perspective.</P><P>&nbsp;</P><P><STRONG>Interested in how others are balancing patch SLA vs vulnerability metrics in reporting?</STRONG></P> Sun, 19 Apr 2026 08:03:50 GMT Dom 2026-04-19T08:03:50Z Reporting patching and vulnerability metrics https://community.isc2.org/t5/Governance-Risk-Compliance/Reporting-patching-and-vulnerability-metrics/m-p/89270#M1473 <P>I'm interested in how others are handling patching metrics.&nbsp;We currently report patching using:<BR /><BR /></P><UL><LI>% endpoints missing critical/important patches outside a 14-day SLA (aligned to UK Cyber Essentials), and</LI><LI>total high/critical vulnerabilities aged &gt;14 days.</LI></UL><P>The idea was to show both patching coverage and the depth of exposure.</P><P>&nbsp;</P><P>This has worked pretty well historically, but over the last 6 months we’ve been rolling out new laptops and have hit some patching issues. As a result, we’ve now got ~16% of devices outside SLA, and they’re missing multiple patch cycles, which is driving a big spike in vulnerability counts.</P><P>&nbsp;</P><P>I’m starting to get some pressure internally that the metrics are either too harsh or don’t reflect operational performance properly.&nbsp;I still think they’re right from an infosec risk perspective.</P><P>&nbsp;</P><P><STRONG>Interested in how others are balancing patch SLA vs vulnerability metrics in reporting?</STRONG></P> Sun, 19 Apr 2026 08:03:50 GMT https://community.isc2.org/t5/Governance-Risk-Compliance/Reporting-patching-and-vulnerability-metrics/m-p/89270#M1473 Dom 2026-04-19T08:03:50Z