Do clients have the option to not participate in or postpone an upgrade to a new release?
Explanation
Reviewers want to know how much control clients have over upgrade timing, specifically whether new releases can be applied to their environments on their schedule. In a security assessment context, this question evaluates the balance between keeping systems updated with security patches and respecting client operational needs.
Why it matters:
- Operational impact: Updates can potentially disrupt critical business operations if deployed at inopportune times.
- Testing requirements: Clients often need time to test new releases in non-production environments before applying to production.
- Compliance considerations: Some regulated industries have strict change control requirements that necessitate planned upgrade windows.
- Risk management: While security updates are important, forced upgrades without client consent can create business continuity risks.
The assessor wants to understand if your change management process accommodates client needs while still maintaining appropriate security posture. They're looking for a reasonable balance between security requirements and operational flexibility.
A good answer should explain your upgrade policy, how clients are notified, what options they have for postponement, any limitations on postponement (especially for critical security patches), and how you handle clients who remain on outdated versions for extended periods.
Example Responses
Example Response 1
Yes, our clients have significant control over their upgrade timing For standard feature releases, clients receive 60-day advance notification and can choose to postpone implementation for up to 6 months For critical security patches, we provide a minimum 14-day notice and allow postponement for up to 30 days In exceptional circumstances where a client cannot accommodate even critical updates within this timeframe, we work with them to implement compensating controls while maintaining their current version All postponement requests are managed through our client portal and require formal acknowledgment of the potential risks of remaining on older versions.
Example Response 2
Yes, we offer a flexible upgrade approach Our SaaS platform maintains three supported release versions at any time (current and two previous) Clients receive notification 45 days before scheduled upgrades and can choose to remain on their current version until it reaches end-of-support status, typically 9 months after release For zero-day vulnerabilities or critical security issues, we reserve the right to expedite patches with 48-hour notice, though clients can request emergency exceptions through their account manager We provide detailed release notes, test environment access, and migration assistance for all upgrades to minimize operational disruption.
Example Response 3
No, our platform operates on a unified release schedule where all clients are upgraded simultaneously during our monthly maintenance window This approach ensures all clients benefit from the latest security patches and feature improvements while allowing us to maintain a single, consistent codebase We provide 30-day advance notification of all planned upgrades and detailed release notes While clients cannot opt out of upgrades, we do offer extended test environment access before production deployment and 24/7 support during upgrade periods to address any issues This model allows us to deliver security improvements rapidly across our entire client base.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?

