Timely application of non-critical patches for internet-facing OS vulnerabilities
Apply non-critical patches to internet-facing systems within two weeks if no exploits exist.
Plain language
This control means that if there are any weaknesses found in the operating systems of your internet-facing computers and devices, these need to be fixed within two weeks, unless those weaknesses are already being exploited by hackers. This matters because if such vulnerabilities are ignored, they could be used by cybercriminals to break into your network, potentially causing data breaches or interruptions to your business operations.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Ignoring non-critical patches for internet-facing OS or network devices can expose services to rapid weaponisation, enabling compromise and service disruption.
Operational notes
Track vendor advisories for internet-facing OS and network devices; where rated non-critical with no working exploit, deploy patches within 14 days and record exceptions.
Implementation tips
- The IT team should review patch release notes from vendors to identify if any non-critical vulnerabilities exist. They can do this by subscribing to notifications from operating system providers.
- The system administrator should schedule regular patching scans for internet-facing systems every fortnight. They can use an automated patch management tool to assist with this.
- The security officer should establish a protocol for assessing whether exploits for identified vulnerabilities exist. This could involve checking resources like the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog.
- Management should ensure the IT department has a clear policy outlining the timeline and steps for applying non-critical patches to internet-facing systems. Regular training sessions for IT staff can reinforce these policies.
Audit / evidence tips
-
AskHow often do you check for new patches released by vendors?
GoodThe organisation checks for updates at least weekly and has an automated process for discovering patches
-
AskHow do you determine if a vulnerability is non-critical and if exploits exist?
GoodThe organisation uses a recognised vulnerability catalog and risk assessment process to verify threats
-
AskWhen was the last time patches were applied to vulnerabilities assessed as non-critical?
GoodPatches for non-critical vulnerabilities were applied within two weeks of their release
Cross-framework mappings
How E8-PO-ML1.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1606 | ISM-1606 requires timely remediation of vulnerabilities by applying patches/updates/mitigations to the isolation mechanism and the underl... | |
| ISM-1690 | ISM-1690 requires non-critical vulnerability patches for online services to be applied within two weeks where no working exploits exist | |
| ISM-1877 | E8-PO-ML1.6 requires applying non-critical OS patches to internet-facing servers and network devices within two weeks when no working exp... | |
| ISM-1902 | E8-PO-ML1.6 requires non-critical OS patches for internet-facing servers and internet-facing network devices to be applied within two wee... | |
| extension Depends on (1) expand_less | ||
| ISM-1143 | E8-PO-ML1.6 requires a defined patching outcome for a specific scope: non-critical internet-facing OS vulnerabilities must be remediated ... | |
| link Related (1) expand_less | ||
| ISM-1694 | E8-PO-ML1.6 requires applying non-critical patches (where no working exploits exist) to operating systems on internet-facing servers and ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.