Do you have a release schedule for product updates?
Explanation
Predictable delivery of product updates is what's being probed here, specifically whether your organization follows a structured, repeatable release schedule. A release schedule is a documented timeline that outlines when software updates, patches, bug fixes, and new features will be deployed to production environments.
Why it's asked in security assessments:
- Predictability: Organizations using your product need to plan for updates, especially if they require downtime or testing.
- Security patching: Regular release schedules often indicate a mature approach to addressing security vulnerabilities in a timely manner.
- Change management maturity: Having a defined release schedule suggests your organization has formalized processes for testing, validating, and deploying changes safely.
- Risk assessment: Customers need to understand how frequently changes occur to assess operational and security risks.
The best answers to this question will describe:
- The frequency of your release schedule (monthly, quarterly, etc.)
- Whether you distinguish between different types of releases (e.g., major vs. minor vs. security patches)
- How you communicate the schedule to customers
- Any flexibility in the schedule for critical security updates
Even if your release process is agile or continuous delivery, you should still have some framework for how releases are planned and communicated.
Example Responses
Example Response 1
Yes, we maintain a structured release schedule for our product Major feature releases occur quarterly (March, June, September, December) following a three-week testing cycle in our staging environments Minor updates and non-critical bug fixes are released monthly on the second Tuesday Critical security patches are released as needed outside this schedule, typically within 72 hours of validation All scheduled releases are communicated to customers 30 days in advance through our customer portal and email notifications, with detailed release notes and any required customer actions Emergency security patches are communicated with as much notice as possible given the circumstances.
Example Response 2
Yes, we follow a continuous delivery model with a structured cadence Our product updates follow a bi-weekly sprint cycle where non-breaking changes are deployed every two weeks on Thursdays during off-peak hours (2:00-4:00 AM EST) Major feature releases that may require customer preparation are bundled quarterly and announced 45 days in advance Our security team maintains a separate pipeline for critical security updates, which can be deployed within 24 hours of validation, regardless of the regular release schedule All releases are documented in our customer-facing release calendar and communicated through multiple channels including our status page, email notifications, and in-app alerts.
Example Response 3
No, we don't currently maintain a formal release schedule Our updates are deployed on an as-needed basis when new features are completed or bugs are identified We typically notify customers a few days before deployment via email While we prioritize security fixes, we don't have a specific timeline commitment for addressing vulnerabilities We're currently working to implement a more structured release process with defined schedules as part of our DevOps maturity roadmap for next quarter, which will include dedicated windows for security patches and better advance notification for customers.
Context
- Tab
- Organization
- Category
- Change Management
Related questions
- Will the institution be notified of major changes to your environment that could impact the institution's security posture?
- Does the system support client customizations from one release to another?
- Do you have an implemented system configuration management process (e.g.,secure "gold" images, etc.)?
- Do you have a documented change management process?
- Does your change management process minimally include authorization, impact analysis, testing, and validation before moving changes to production?
- Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?

