Apply critical application patches within 48 hours
Ensure critical software updates are installed within 48 hours to prevent security risks.
Plain language
This control is about making sure that any critical updates for your software are applied within 48 hours of being released. This matters because if there's a known security weakness in your software, hackers could take advantage of it to access your systems. By quickly installing these updates, you protect your organisation from potential attacks.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delayed application of critical patches exposes online services to rapid exploitation, risking data breaches, ransomware and major operational disruption.
Operational notes
Track vendor advisories for online services and, where rated critical or exploited, deploy patches/mitigations within 48 hours using an emergency change process.
Implementation tips
- The IT team should regularly monitor software vendors' websites and announcements to identify critical updates. This can be done by setting up alerts or subscribing to vendor newsletters.
- A system administrator should configure an automatic update system for the organisation’s critical software. This ensures updates are applied quickly without manual intervention.
- Security officers need to implement a prioritisation policy that highlights critical patches as high priority. This policy should outline quick steps for testing and deployment within the 48-hour window.
- The IT helpdesk should have a clear communication channel with the system administrator to report any issues post-patch. This can be established by regular update meetings and using a ticketing system.
Audit / evidence tips
-
AskHow do you identify which software updates are critical and require immediate attention?
-
GoodA document or system showing the monitoring process for updates, including alerts for critical patches, should be provided
-
AskHow soon is this critical software typically updated after an update is released?
-
GoodRecords should confirm that critical updates are consistently applied within 48 hours of release
-
AskWhat steps are taken to ensure updates don't disrupt operations?
-
GoodA detailed procedure should describe how updates are tested in a controlled environment before full deployment
Cross-framework mappings
How E8-PA-ML1.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML1.5 requires organisations to remediate critical online-service vulnerabilities by applying patches or mitigations within 48 hours | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.19 | Annex A 8.19 requires secure management of software installation, including controlled installation of updates and vendor fixes | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1483 | ISM-1483 requires internet-facing server applications to use the latest release, reducing risk from vulnerabilities addressed in newer ve... | |
| ISM-1877 | ISM-1877 focuses on patching operating systems for internet-facing servers and internet-facing network devices within 48 hours when vulne... | |
| ISM-1879 | E8-PA-ML1.5 requires applying critical patches for online services within 48 hours when rated critical or exploited | |
| handshake Supports (3) expand_less | ||
| ISM-0298 | E8-PA-ML1.5 requires critical patches or vendor mitigations for online services to be applied within 48 hours | |
| ISM-1698 | E8-PA-ML1.5 requires organisations to apply critical patches or mitigations for vulnerabilities in online services within 48 hours of rel... | |
| ISM-1921 | ISM-1921 requires organisations to frequently reassess the likelihood of system compromise when working exploits exist for unmitigated vu... | |
| link Related (2) expand_less | ||
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
| ISM-1876 | E8-PA-ML1.5 requires patches, updates or vendor mitigations for critical vulnerabilities in online services to be applied within 48 hours... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.