The way I've always done this is:
- Make a copy of the production site, this copy is then the staging site.
- Perform an upgrade on the staging site. Investigate any unexpected problems during the upgrade and test that the upgraded site works as expected.
- When you're happy the upgraded staging site is working as expected, schedule a maintenance window for the production site. You should be able to estimate how long that window needs to be based on the staging site upgrade.
- Upgrade the production site, having placed this in maintenance mode.
You may need to ensure the user access policies include the use of user data in this way to comply with GDPR, i.e. that user data would be included in the operational processes including testing to apply site security updates.