diff --git a/Policies/Patch_Management.md b/Policies/Patch_Management.md
index e13923a..ace2a34 100644
--- a/Policies/Patch_Management.md
+++ b/Policies/Patch_Management.md
@@ -1,14 +1,14 @@
 ---
 title: Patch Management
-description: How digiBandit keeps your systems secure and up-to-date through automated and managed patching.
+description: How digiBandit keeps your systems secure and up-to-date through ring-based automated patching aligned with Canadian cybersecurity standards.
 category: policies
-tags: [patch, policies]
+tags: [patch, policies, security, compliance]
 permalink: go.dbits.ca/dd/patch-management
 ---
 
 # Patch Management
 
-Keeping software up-to-date is one of the most effective ways to prevent security breaches. digiBandit manages patching for all devices under our managed services so you don't have to think about it.
+Keeping software up-to-date is one of the most effective ways to prevent security breaches. digiBandit manages patching for all devices under our managed services using a structured, multi-stage deployment process that balances security urgency with operational stability.
 
 ## What We Patch
 
@@ -18,13 +18,33 @@ Keeping software up-to-date is one of the most effective ways to prevent securit
 
 ## How It Works
 
-### Automated Patching
+### Ring-Based Deployment
 
-Our monitoring platform (Tactical RMM) handles patch deployment across all managed devices:
+Rather than pushing patches to all devices at once, we use a staged rollout approach used by enterprise organizations worldwide. Patches move through four deployment rings, with each ring validating the update before it reaches more devices:
 
-- **Windows Updates** are applied on a managed schedule with automatic reboots during off-hours when required
-- **Third-party applications** are updated automatically via our software management policies
-- **Critical security patches** are prioritized and deployed as soon as possible after release
+| Ring | Purpose | Timing | Who |
+|------|---------|--------|-----|
+| Ring 0 - Test | Validate patches install cleanly | Patch Tuesday + 0 days | digiBandit internal devices |
+| Ring 1 - Pilot | Detect application incompatibilities | Patch Tuesday + 3 days | Small group of opt-in client devices |
+| Ring 2 - Standard | Main deployment wave | Patch Tuesday + 7 days (Wednesday) | All managed workstations |
+| Ring 3 - Servers | Final ring after full validation | Patch Tuesday + 14 days | Servers and critical systems |
+
+This means your workstations receive patches one week after Microsoft releases them, giving us time to catch any issues on our own systems and pilot devices first. Servers receive patches two weeks after release with the most testing completed.
+
+All patch installations occur during off-hours (early morning) with automatic reboots when required, minimizing disruption to your workday.
+
+### Severity-Based Timelines
+
+Not all patches are equal. We prioritize based on severity following Canadian Centre for Cyber Security (CCCS) guidelines:
+
+| Severity | Timeline | Our Response |
+|----------|----------|-------------|
+| Critical (CVSS 9.0+) | 48 hours | Emergency deployment, bypass standard rings |
+| High (CVSS 7.0-8.9) | 14 days | Accelerated ring progression |
+| Medium (CVSS 4.0-6.9) | 30 days | Standard ring cycle |
+| Low (CVSS 0.1-3.9) | 90 days | Standard ring cycle |
+
+Critical security patches that address actively exploited vulnerabilities are deployed within 48 hours regardless of the ring schedule.
 
 ### Manual Patching
 
@@ -36,14 +56,53 @@ Some updates require manual intervention:
 
 For these, [submit a ticket](https://portal.dbits.ca) with the software details and we'll coordinate an update window.
 
-## Patch Schedule
+## Monitoring and Reporting
 
-| Type | Frequency | Window |
-|------|-----------|--------|
-| Windows Updates | Weekly | Wednesday evenings |
-| Third-Party Apps | Weekly | Automated |
-| Critical Security | ASAP | Within 24 hours of release |
-| Firmware | As needed | Scheduled maintenance window |
+Every managed device is continuously monitored for patch compliance. Our automated systems track:
+
+- Whether each device is fully patched
+- How quickly patches are applied after release
+- Any devices that fail to install updates
+- Devices requiring reboots to complete updates
+
+You can view your devices' patch status in the [client portal](https://portal.dbits.ca) under each asset's Device Management section.
+
+### Monthly Compliance Reports
+
+Each month, we generate a detailed Patch Compliance Report for your organization that includes:
+
+- Overall compliance grade (A through F)
+- Per-device patch status
+- Patches applied during the period
+- Any exceptions or offline devices
+- Compliance alignment with industry standards
+
+These reports are available in your ITFlow documents and are useful for:
+
+- Quarterly business reviews
+- Cyber insurance renewal evidence
+- CyberSecure Canada certification documentation
+- Internal audit requirements
+
+## Compliance Alignment
+
+Our patch management process is designed to meet or exceed the requirements of:
+
+- **CCCS (Canadian Centre for Cyber Security)** - Patching timelines align with CCCS recommended remediation windows
+- **CyberSecure Canada (CAN/CIOSC 104:2021)** - Automated patching satisfies the "Install updates on time" baseline control
+- **CIS Controls v8.1** - Control 7 (Continuous Vulnerability Management) addressed through automated scanning and remediation
+- **Cyber Insurance** - Monthly compliance reports provide evidence of active patch management for insurance applications and renewals
+
+## Exception Handling
+
+If a specific patch causes issues with your business applications, we can:
+
+1. Defer the patch for a defined period while investigating
+2. Document the exception with a risk assessment
+3. Apply compensating controls if needed
+4. Re-test and deploy when the issue is resolved
+
+All exceptions are tracked and documented in your compliance reports.
 
 ## Privilege Access Management