The most likely cause of systems and applications missing critical patches is a lack of a release and deployment policy . CISM program management emphasizes that patching must be governed through formal change, release, and deployment processes to ensure updates are tested, approved, scheduled, deployed, and verified. Without a release and deployment policy, patches may not be consistently prioritized, assigned, implemented, or tracked to completion. Insufficient management oversight can contribute to poor patching, but the more direct cause is the absence of a formal process governing patch release and deployment. Reporting on damaged hardware is unrelated to missing software patches. An outdated CMDB can cause some assets to be missed, but it does not fully explain missing critical patches across systems and applications as effectively as the lack of a defined deployment policy. CISM stresses that repeatable operational processes are essential to maintain control effectiveness. Therefore, the absence of a release and deployment policy is the best answer.