Whether “Patch Management” is a subset of a different IT Policy or its own standalone policy, a Patch Management Policy should address any hardware system or software system that is able to be updated with a more current, more robust, more stable, more secure, etc. version and that is within the company’s responsibility demarcation (i.e. you are not responsible for patching your ISP’s routers).
With that in mind, whether a device or system is inside or outside your firewall becomes irrelevant.
-g