Timely Patching of Non-Critical Application Vulnerabilities
Apply patches for non-critical apps within a month to fix vulnerabilities.
Plain language
This control is about making sure that all the software you use, like accounting tools or any specialised apps, are regularly updated to patch up any security holes. Imagine leaving your house door unlocked; if your software isn't patched, it's like leaving a window open for cyber criminals to sneak in. Getting your software updated in a timely manner stops hacks before they even start.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within one month of release.
Why it matters
Delaying patches for non-critical applications beyond one month leaves known flaws exploitable and increases the chance of system compromise or data theft.
Operational notes
Maintain an inventory of non-critical apps, monitor vendor advisories, and schedule deployment so patches/mitigations are applied within one month of release.
Implementation tips
- The IT team should track all the applications that are not critical, like inventory management or scheduling software, by maintaining a detailed software inventory.
- A system administrator should regularly check for updates from the software vendors by visiting their official websites or setting up alerts for new releases.
- The IT team should schedule a routine, like the first Friday of every month, to apply the latest patches to non-critical applications that have been released in the past month.
- The security officer should create a calendar reminder or notification system that prompts the IT team to review and apply necessary patches monthly.
- The IT team should test patches on a non-critical environment first to ensure they don't disrupt operations, making adjustments as required.
Audit / evidence tips
-
AskHow do you ensure that all non-critical applications are updated within a month of patch release?
-
GoodA maintained schedule showing regular checks and updates within a month, with logs showing specific dates and applications patched
-
AskCan you show how you track available patches from vendors for non-critical applications?
-
GoodSubscriptions to vendor notifications or alerts, with an evidence log of when they were reviewed or acted upon
Cross-framework mappings
How E8-PA-ML2.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML2.2 requires organisations to remediate vulnerabilities in certain non-critical applications by applying patches/mitigations with... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0304 | ISM-0304 requires organisations to remove applications that are no longer supported by vendors (outside the listed key application catego... | |
| ISM-1163 | E8-PA-ML2.2 requires timely remediation by applying patches/mitigations for non-critical applications within one month of release | |
| ISM-1606 | E8-PA-ML2.2 requires patching of non-critical applications within one month of release | |
| handshake Supports (3) expand_less | ||
| ISM-1555 | ISM-1555 requires updating all operating systems and applications on mobile devices before overseas travel to reduce exposure to known vu... | |
| ISM-1643 | E8-PA-ML2.2 requires patches/mitigations for non-critical applications to be applied within one month | |
| ISM-1700 | E8-PA-ML2.2 requires organisations to apply vendor patches/mitigations for vulnerabilities in non-critical applications within one month | |
| extension Depends on (2) expand_less | ||
| ISM-0298 | E8-PA-ML2.2 requires patches, updates or other mitigations for vulnerabilities in non-critical applications to be applied within one mont... | |
| ISM-1143 | E8-PA-ML2.2 requires timely application of patches/mitigations for non-critical applications within one month | |
| link Related (1) expand_less | ||
| ISM-1693 | E8-PA-ML2.2 requires patches, updates or vendor mitigations for vulnerabilities in non-critical applications (excluding productivity suit... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.