Patch critical vulnerabilities in applications within 48 hours
Apply critical patches to important software within 48 hours of release.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
Patch applications
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML3
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Source: ASD Essential Eight
Plain language
This control means you need to fix big security holes in your software quickly—within 48 hours of when a patch is released. If you don't, hackers could exploit these flaws to steal data or damage your systems. It's like getting a broken lock on your door fixed fast before someone breaks in.
Why it matters
Delays in patching critical flaws can lead to exploitation, data breaches, and financial loss, especially if exploits are in the wild.
Operational notes
Configure tools to deploy vendor-rated critical patches for browsers, email, PDF and security products, and verify install completion within 48 hours.
Implementation tips
- IT team should monitor security updates daily by subscribing to vendor security bulletins. They can do this via the vendor’s website or through a dedicated notification service to stay informed immediately when patches are released.
- System administrators need to implement an automated patch management system. This system should be configured to deploy critical patches within 48 hours of their release to ensure timely protection.
- Security officers should review and assess patching reports. They can do this by checking which patches have been applied and confirming that no critical vulnerabilities are left unpatched past the 48-hour window.
- IT support staff should set up reminders for patch cycles. These reminders could be calendar alerts, ensuring no critical patches are missed within their designated application timeframe.
- Business managers should allocate budget for patch management tools. Facilitating the procurement of these tools is essential for automated and timely patch applications.
Audit / evidence tips
-
Ask: How do you track when new patches are released for your software?
-
Good: An automated tool or subscription service is in place that alerts within hours when a vendor releases a patch
-
Ask: How do you ensure patches are applied within the 48-hour timeframe for critical vulnerabilities?
-
Good: The patch management system’s logs show all critical patches are consistently applied within 48 hours of release
Cross-framework mappings
How E8-PA-ML3.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.8 | E8-PA-ML3.1 requires obtaining and applying vendor mitigations within 48 hours for critical or exploited vulnerabilities in nominated hig... | |
| Supports (1) | ||
| Annex A 5.7 | E8-PA-ML3.1 requires urgent patching within 48 hours when vendors rate vulnerabilities as critical or when working exploits exist for key... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (4) | ||
| ISM-1366 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| ISM-1467 | ISM-1467 requires organisations to use the latest releases of key user applications and security products to reduce exposure to known wea... | |
| ISM-1691 | ISM-1691 mandates applying patches for key end-user software (e.g | |
| ISM-1901 | E8-PA-ML3.1 requires applying mitigations within 48 hours for critical or exploited vulnerabilities in specific end-user application cate... | |
| Supports (5) | ||
| ISM-0298 | E8-PA-ML3.1 requires rapid deployment of patches/mitigations within 48 hours for critical or exploited vulnerabilities in high-risk end-u... | |
| ISM-1143 | E8-PA-ML3.1 requires a 48-hour remediation outcome for critical or exploited vulnerabilities in a defined set of high-risk applications | |
| ISM-1693 | E8-PA-ML3.1 requires patches for critical or exploited vulnerabilities in a defined set of high-risk applications to be applied within 48... | |
| ISM-1699 | E8-PA-ML3.1 requires organisations to deploy vendor mitigations within 48 hours for critical or exploited vulnerabilities in specified ap... | |
| ISM-1921 | ISM-1921 requires organisations to frequently assess the likelihood of system compromise when working exploits exist for unmitigated vuln... | |
| Related (2) | ||
| ISM-1692 | E8-PA-ML3.1 requires patches, updates or vendor mitigations to be applied within 48 hours for critical or exploited vulnerabilities affec... | |
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |