Apply patches for non-critical vulnerabilities within two weeks
Ensure software patches for non-critical flaws are installed within two weeks if no exploits exist.
Plain language
This control means you should make sure any updates to fix non-critical issues in your software are applied within two weeks, as long as there are no known threats exploiting these issues. It's important because it helps prevent potential vulnerabilities from being used by cyber attackers to access or damage your systems.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
If non-critical vendor-rated patches for browsers, email, PDF, office and security tools aren’t applied within two weeks, known flaws may be weaponised and enable compromise.
Operational notes
Track vendor advisories for browsers, email, PDF, office and security products; confirm issues are non-critical with no working exploits, then deploy updates within 14 days.
Implementation tips
- IT Team: Identify all software applications used in the organisation by maintaining an up-to-date inventory list of all installed applications. Confirm this list regularly.
- System Administrator: Monitor software vendors' announcements for newly released patches and updates. Check vendor websites or subscribe to their mailing lists to receive notifications.
- Security Officer: Set up a system to track which vulnerabilities are non-critical and ensure patches are applied within two weeks. Use a simple spreadsheet or a dedicated patch management tool for tracking.
- IT Team: Schedule regular updates to be installed automatically or manually within the specified timeframe. Use organisational policies to automate the update processes where possible.
Audit / evidence tips
-
AskHow does your organisation keep track of updates and patches released for software applications?
-
GoodThe organisation has a comprehensive list of applications with clear records showing patches applied within two weeks of release for non-critical vulnerabilities
-
AskWhat process is followed to determine the criticality of a vulnerability and the existence of exploits?
-
GoodThere are documented processes, aligned with vendor guidance, that assess vulnerability criticality and apply patches accordingly
Cross-framework mappings
How E8-PA-ML3.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML3.2 mandates a two-week patching timeframe for non-critical vulnerabilities in specific high-risk applications | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1754 | E8-PA-ML3.2 mandates timely patching of non-critical vulnerabilities in specified user applications within two weeks when no exploits exist | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-1366 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| ISM-1467 | ISM-1467 requires organisations to use the latest releases of core user applications (office suites, browsers and extensions, email clien... | |
| ISM-1691 | ISM-1691 requires patches, updates or vendor mitigations for vulnerabilities in office productivity suites, web browsers and extensions, ... | |
| ISM-1692 | E8-PA-ML3.2 requires organisations to apply patches for non-critical vulnerabilities in common user applications and security products wi... | |
| ISM-1693 | E8-PA-ML3.2 requires patching within two weeks for non-critical vulnerabilities (with no working exploits) in a specific set of user-faci... | |
| extension Depends on (1) expand_less | ||
| ISM-1643 | E8-PA-ML3.2 needs organisations to patch specified applications within two weeks for non-critical vulnerabilities | |
| link Related (1) expand_less | ||
| ISM-1901 | E8-PA-ML3.2 requires patches for non-critical vulnerabilities in office suites, browsers, email clients, PDF software, and security produ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.