Are there any useful guides which break down into a set of best practices how to handle patching & vulnerability management. Every time we look into it there's just links to commercial tools which you can use to scan for out of date software but whereas it will point out where you aren't doing so well (e.g. outdated software, unsupported software etc), what I am more after is some detailed best practices on how to manage the patching/remediation process in general, considerations that are needed to help define & implement your policies and procedures around etc. If there is such a thing then that would be most helpful. I was going to look through PCI DSS as that is a set of expected controls with some detail rather than just links to an expensive vulnerability scanner or scanning service to tell you how bad/well you are doing.