Apply critical patches to internet-facing OS within 48 hours
Apply critical updates to internet-facing systems within 48 hours to prevent exploitation.
Plain language
This control ensures that critical security updates are applied to your internet-connected systems within 48 hours. It's like fixing a broken lock on your front door quickly to prevent burglars from walking right in. Without these updates, your business could be open to cyber criminals exploiting known weaknesses.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delaying critical patches on internet-facing OS/devices beyond 48 hours increases exposure to known exploits, enabling compromise, data theft and service disruption.
Operational notes
Track vendor advisories and exploit intel; prioritise internet-facing OS/network devices and use an emergency change process to deploy critical patches within 48 hours.
Implementation tips
- System administrators should track when critical updates are released by vendors to stay informed about necessary patches.
- IT teams need to configure their systems to check for updates daily and to apply them automatically whenever possible to meet the 48-hour timeframe.
- Security officers should monitor industry alert services, such as the Australian Cyber Security Centre, to identify if a vulnerability exploits are in the wild and need immediate action.
- The IT director should ensure there is a clear process in place for responding to critical patches, including assigning responsibility and setting deadlines for application.
Audit / evidence tips
-
AskHow do you ensure you're aware of new critical patches released by vendors?
-
GoodThe organisation receives daily notices from software vendors detailing new critical vulnerabilities and patches
-
AskWhat is your process for applying critical patches within 48 hours?
-
GoodThe logs show that critical updates were applied within 48 hours consistently over the past six months
Cross-framework mappings
How E8-PO-ML1.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML1.5 requires organisations to apply critical patches within 48 hours for operating systems on internet-facing servers and interne... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.21 | Annex A 8.21 requires organisations to implement and monitor security mechanisms for network services so they remain secure and reliable | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (8) expand_less | ||
| ISM-1407 | ISM-1407 requires organisations to stay on the latest or previous OS release to reduce exposure to known vulnerabilities and maintain ven... | |
| ISM-1606 | ISM-1606 requires patches, updates or vendor mitigations to be applied in a timely manner to software-based isolation mechanisms (e.g | |
| ISM-1694 | ISM-1694 requires applying vendor mitigations for non-critical vulnerabilities in operating systems on internet-facing servers and networ... | |
| ISM-1696 | ISM-1696 requires applying critical OS patches within 48 hours for workstations, non-internet-facing servers and non-internet-facing netw... | |
| ISM-1876 | E8-PO-ML1.5 requires critical vendor patches or mitigations to be applied within 48 hours for operating systems on internet-facing server... | |
| ISM-1878 | ISM-1878 requires critical OS patches for IT equipment (other than workstations, servers and network devices) to be applied within 48 hou... | |
| ISM-1879 | E8-PO-ML1.5 requires critical vendor patches or mitigations to be applied within 48 hours for operating systems on internet-facing server... | |
| ISM-1902 | ISM-1902 requires organisations to apply non-critical operating system patches to non-internet-facing systems within one month when no wo... | |
| handshake Supports (5) expand_less | ||
| ISM-1163 | E8-PO-ML1.5 requires critical patches or vendor mitigations to be applied within 48 hours for internet-facing operating systems on server... | |
| ISM-1643 | ISM-1643 requires maintaining detailed records of operating system versions and patch histories in software registers | |
| ISM-1701 | ISM-1701 requires daily vulnerability scanning of internet-facing servers and network devices to identify missing OS patches or updates | |
| ISM-1753 | ISM-1753 requires replacement of internet-facing network devices that are no longer supported by vendors | |
| ISM-1921 | ISM-1921 requires organisations to frequently reassess the likelihood of compromise when working exploits exist for unmitigated vulnerabi... | |
| extension Depends on (2) expand_less | ||
| ISM-0298 | E8-PO-ML1.5 requires organisations to apply critical patches to internet-facing operating systems on servers and network devices within 4... | |
| ISM-1143 | E8-PO-ML1.5 requires critical vendor patches or mitigations to be applied within 48 hours to internet-facing operating systems on servers... | |
| link Related (1) expand_less | ||
| ISM-1877 | ISM-1877 requires critical vendor patches/updates/mitigations for operating systems of internet-facing servers and internet-facing networ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.