Apply non-critical patches for online services within two weeks
Install updates for online services within two weeks if not critical and no exploits exist.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Patch applications
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Source: ASD Essential Eight
Plain language
This control is about making sure that any minor issues in online services are fixed within two weeks. Even if these issues aren't critical, ignoring them could mean leaving a door open for potential attackers. Regular updates keep your systems safe by patching vulnerabilities before they can be exploited.
Why it matters
Delaying non-critical patches for online services can allow later exploit chaining, turning low-risk flaws into outages or unauthorised access.
Operational notes
Maintain a fortnightly patch review for internet-facing services; apply vendor non-critical patches within 14 days when no exploits are known.
Implementation tips
- IT team should identify all online services in use by regularly reviewing the software inventory, ensuring all services are accounted for.
- System administrator should track non-critical patches by checking vendor notifications and update websites weekly.
- Security officer should ensure patches are applied by setting reminders for the IT team to install updates within two weeks of their release.
- IT team should automate the patching process using patch management tools, which can be configured to apply updates automatically according to the schedule.
- Business owner should conduct a monthly review to confirm with the IT team that non-critical patches are completed on time.
Audit / evidence tips
-
Ask: How do you identify which online services need patching within two weeks?
-
Good: The organisation maintains an up-to-date list of online services and receives notifications from vendors about patches, then applies them within two weeks when assessed as non-critical
-
Ask: How does the organisation ensure patches are applied within the required timeframe?
-
Good: The organisation uses an automated patch management system that logs patch release and application dates, consistently showing compliance with the two-week requirement
Cross-framework mappings
How E8-PA-ML1.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.8 | E8-PA-ML1.6 requires non-critical vendor patches for online services be applied within two weeks when no working exploits exist | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| ISM-1694 | ISM-1694 requires non-critical operating system security patches for internet-facing servers and internet-facing network devices to be ap... | |
| ISM-1697 | ISM-1697 requires organisations to patch non-critical driver vulnerabilities within one month where no working exploits exist | |
| ISM-1876 | ISM-1876 requires critical patches (or vendor mitigations) for vulnerabilities in online services to be applied within 48 hours when rate... | |
| Supports (2) | ||
| ISM-1143 | E8-PA-ML1.6 requires organisations to reliably apply non-critical patches for online services within two weeks under defined conditions | |
| ISM-1698 | ISM-1698 requires daily vulnerability scanning of online services to identify missing patches or updates | |
| Related (1) | ||
| ISM-1690 | ISM-1690 requires that patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks w... | |