Patch critical vulnerabilities in applications within 48 hours
Apply critical patches to important software within 48 hours of release.
Plain language
This control means you need to fix big security holes in your software quickly—within 48 hours of when a patch is released. If you don't, hackers could exploit these flaws to steal data or damage your systems. It's like getting a broken lock on your door fixed fast before someone breaks in.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delays in patching critical flaws can lead to exploitation, data breaches, and financial loss, especially if exploits are in the wild.
Operational notes
Configure tools to deploy vendor-rated critical patches for browsers, email, PDF and security products, and verify install completion within 48 hours.
Implementation tips
- IT team should monitor security updates daily by subscribing to vendor security bulletins. They can do this via the vendor’s website or through a dedicated notification service to stay informed immediately when patches are released.
- System administrators need to implement an automated patch management system. This system should be configured to deploy critical patches within 48 hours of their release to ensure timely protection.
- Security officers should review and assess patching reports. They can do this by checking which patches have been applied and confirming that no critical vulnerabilities are left unpatched past the 48-hour window.
- IT support staff should set up reminders for patch cycles. These reminders could be calendar alerts, ensuring no critical patches are missed within their designated application timeframe.
- Business managers should allocate budget for patch management tools. Facilitating the procurement of these tools is essential for automated and timely patch applications.
Audit / evidence tips
-
AskHow do you track when new patches are released for your software?
-
GoodAn automated tool or subscription service is in place that alerts within hours when a vendor releases a patch
-
AskHow do you ensure patches are applied within the 48-hour timeframe for critical vulnerabilities?
-
GoodThe patch management system’s logs show all critical patches are consistently applied within 48 hours of release
Cross-framework mappings
How E8-PA-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML3.1 requires obtaining and applying vendor mitigations within 48 hours for critical or exploited vulnerabilities in nominated hig... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | E8-PA-ML3.1 requires urgent patching within 48 hours when vendors rate vulnerabilities as critical or when working exploits exist for key... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1366 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| ISM-1467 | ISM-1467 requires organisations to use the latest releases of key user applications and security products to reduce exposure to known wea... | |
| ISM-1691 | ISM-1691 mandates applying patches for key end-user software (e.g | |
| ISM-1901 | E8-PA-ML3.1 requires applying mitigations within 48 hours for critical or exploited vulnerabilities in specific end-user application cate... | |
| handshake Supports (6) expand_less | ||
| ISM-0298 | E8-PA-ML3.1 requires rapid deployment of patches/mitigations within 48 hours for critical or exploited vulnerabilities in high-risk end-u... | |
| ISM-1143 | E8-PA-ML3.1 requires a 48-hour remediation outcome for critical or exploited vulnerabilities in a defined set of high-risk applications | |
| ISM-1163 | E8-PA-ML3.1 requires organisations to rapidly remediate critical/exploited vulnerabilities in key applications within 48 hours of release | |
| ISM-1693 | E8-PA-ML3.1 requires patches for critical or exploited vulnerabilities in a defined set of high-risk applications to be applied within 48... | |
| ISM-1699 | E8-PA-ML3.1 requires organisations to deploy vendor mitigations within 48 hours for critical or exploited vulnerabilities in specified ap... | |
| ISM-1921 | ISM-1921 requires organisations to frequently assess the likelihood of system compromise when working exploits exist for unmitigated vuln... | |
| link Related (2) expand_less | ||
| ISM-1692 | E8-PA-ML3.1 requires patches, updates or vendor mitigations for critical or exploited vulnerabilities in office suites, browsers/extensio... | |
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.