Apply critical patches to non-internet-facing OS within 48 hours
Quickly install critical updates on internal systems to fix security vulnerabilities.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
PO
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML3
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Source: ASD Essential Eight
Plain language
This control is about making sure we quickly update the computer systems inside our organisation that aren't directly connected to the internet. This is crucial because if there's a known weakness, hackers could use it to break into our system. By fixing these vulnerabilities quickly, we prevent bad actors from exploiting them and causing harm.
Why it matters
Delaying patches on non-internet-facing operating systems can leave known critical flaws exploitable, enabling lateral movement and internal data compromise.
Operational notes
Track vendor advisories and prioritise critical/actively exploited OS fixes; deploy to non-internet-facing servers, workstations and devices within 48 hours.
Implementation tips
- The IT team should systematically monitor for new critical updates. Use a reliable updates monitoring service that alerts your team of critical patches within hours of their release.
- System administrators should prioritise the installation of critical patches. Use an automated patch management tool to apply these updates within the 48-hour window.
- Security officers should cross-verify critical updates that need to be applied. They can refer to trusted security bulletins like Microsoft Security Response Centre to verify the criticality of updates.
- Technical staff should routinely assess and adjust the update process. Conduct regular training sessions to ensure the team follows the correct procedures for fast and efficient patch installations.
Audit / evidence tips
-
Ask: How does the organisation ensure critical patches are applied within 48 hours?
-
Good: Logs show critical patches were consistently applied within 48 hours of their release over the past six months
-
Ask: What process is in place for recognising critical updates?
-
Good: The process document clearly defines how updates are classified as critical using vendor assessments and trusted security advisories
Cross-framework mappings
How E8-PO-ML3.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (7) | ||
| ISM-1366 | ISM-1366 requires organisations to apply security updates to mobile devices as soon as updates become available | |
| ISM-1606 | ISM-1606 requires patches/updates/vendor mitigations to be applied in a timely manner to both the software isolation mechanism and the un... | |
| ISM-1695 | ISM-1695 mandates applying OS security patches for non-internet-facing workstations, servers and network devices within one month of release | |
| ISM-1876 | ISM-1876 requires applying critical patches for vulnerabilities in online services within 48 hours based on vendor criticality or the pre... | |
| ISM-1877 | ISM-1877 requires critical patching within 48 hours for operating systems on internet-facing servers and internet-facing network devices ... | |
| ISM-1878 | ISM-1878 mandates applying critical OS patches within 48 hours for IT equipment other than workstations, servers and network devices, bas... | |
| ISM-1902 | ISM-1902 requires organisations to apply non-critical operating system patches to non-internet-facing systems within one month when no wo... | |
| Supports (7) | ||
| ISM-1605 | ISM-1605 requires the host operating system underpinning software-based isolation on shared servers to be hardened to reduce the likeliho... | |
| ISM-1643 | ISM-1643 requires software registers to record operating system versions and patch histories | |
| ISM-1702 | ISM-1702 requires organisations to run a vulnerability scanner fortnightly to identify missing operating system patches on non-internet-f... | |
| ISM-1800 | ISM-1800 requires network devices to begin operation with trusted firmware to avoid running compromised or tampered code | |
| ISM-1900 | ISM-1900 requires fortnightly vulnerability scanning to identify missing firmware patches or updates | |
| ISM-1921 | ISM-1921 requires organisations to frequently reassess compromise likelihood when working exploits exist for unmitigated vulnerabilities | |
| ISM-1981 | ISM-1981 requires replacement of non-internet-facing network devices that are no longer supported, reducing the number of devices that ca... | |
| Related (2) | ||
| ISM-0298 | ISM-0298 requires a centralised, managed patch/update approach that preserves patch integrity and verifies successful application across ... | |
| ISM-1696 | ISM-1696 requires critical patches, updates or vendor mitigations for operating systems on workstations, non-internet-facing servers and ... | |