Does anyone have any suggestions for creating security policy around the use of Update Manger to patch ESXi with security related patches?

What kinds of criterion need to be addressed in a security policy specific to ESXi, vCenter Server and Security Updates?

Does anyone have a security policy template to use as a starting point?
I.E., "critical ESXi security patches must be installed within x days", etc.