Apply non-critical patches for online services within two weeks
Install updates for online services within two weeks if not critical and no exploits exist.
Plain language
This control is about making sure that any minor issues in online services are fixed within two weeks. Even if these issues aren't critical, ignoring them could mean leaving a door open for potential attackers. Regular updates keep your systems safe by patching vulnerabilities before they can be exploited.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Delaying non-critical patches for online services can allow later exploit chaining, turning low-risk flaws into outages or unauthorised access.
Operational notes
Maintain a fortnightly patch review for internet-facing services; apply vendor non-critical patches within 14 days when no exploits are known.
Implementation tips
- IT team should identify all online services in use by regularly reviewing the software inventory, ensuring all services are accounted for.
- System administrator should track non-critical patches by checking vendor notifications and update websites weekly.
- Security officer should ensure patches are applied by setting reminders for the IT team to install updates within two weeks of their release.
- IT team should automate the patching process using patch management tools, which can be configured to apply updates automatically according to the schedule.
- Business owner should conduct a monthly review to confirm with the IT team that non-critical patches are completed on time.
Audit / evidence tips
-
AskHow do you identify which online services need patching within two weeks?
-
GoodThe organisation maintains an up-to-date list of online services and receives notifications from vendors about patches, then applies them within two weeks when assessed as non-critical
-
AskHow does the organisation ensure patches are applied within the required timeframe?
-
GoodThe organisation uses an automated patch management system that logs patch release and application dates, consistently showing compliance with the two-week requirement
Cross-framework mappings
How E8-PA-ML1.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML1.6 requires non-critical vendor patches for online services be applied within two weeks when no working exploits exist | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1163 | E8-PA-ML1.6 requires applying non-critical patches for online services within two weeks where no working exploits exist | |
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1694 | ISM-1694 requires non-critical operating system security patches for internet-facing servers and internet-facing network devices to be ap... | |
| ISM-1697 | ISM-1697 requires organisations to patch non-critical driver vulnerabilities within one month where no working exploits exist | |
| ISM-1876 | E8-PA-ML1.6 requires patching vulnerabilities in online services within two weeks when vendors assess them as non-critical and no working... | |
| handshake Supports (2) expand_less | ||
| ISM-0298 | E8-PA-ML1.6 requires timely application of non-critical patches for vulnerabilities in online services within two weeks when no working e... | |
| ISM-1483 | E8-PA-ML1.6 requires applying non-critical security patches for online services within two weeks when vendors rate them non-critical and ... | |
| extension Depends on (2) expand_less | ||
| ISM-1143 | E8-PA-ML1.6 requires organisations to apply non-critical online service patches within two weeks based on vendor criticality and exploit ... | |
| ISM-1698 | E8-PA-ML1.6 requires organisations to apply non-critical patches for vulnerabilities in online services within two weeks where no working... | |
| link Related (1) expand_less | ||
| ISM-1690 | E8-PA-ML1.6 requires organisations to apply non-critical patches, updates or vendor mitigations for vulnerabilities in online services wi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.