Apply critical patches to non-internet-facing OS within 48 hours
Quickly install critical updates on internal systems to fix security vulnerabilities.
Plain language
This control is about making sure we quickly update the computer systems inside our organisation that aren't directly connected to the internet. This is crucial because if there's a known weakness, hackers could use it to break into our system. By fixing these vulnerabilities quickly, we prevent bad actors from exploiting them and causing harm.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delaying patches on non-internet-facing operating systems can leave known critical flaws exploitable, enabling lateral movement and internal data compromise.
Operational notes
Track vendor advisories and prioritise critical/actively exploited OS fixes; deploy to non-internet-facing servers, workstations and devices within 48 hours.
Implementation tips
- The IT team should systematically monitor for new critical updates. Use a reliable updates monitoring service that alerts your team of critical patches within hours of their release.
- System administrators should prioritise the installation of critical patches. Use an automated patch management tool to apply these updates within the 48-hour window.
- Security officers should cross-verify critical updates that need to be applied. They can refer to trusted security bulletins like Microsoft Security Response Centre to verify the criticality of updates.
- Technical staff should routinely assess and adjust the update process. Conduct regular training sessions to ensure the team follows the correct procedures for fast and efficient patch installations.
Audit / evidence tips
- AskHow does the organisation ensure critical patches are applied within 48 hours?
- GoodLogs show critical patches were consistently applied within 48 hours of their release over the past six months
- AskWhat process is in place for recognising critical updates?
- GoodThe process document clearly defines how updates are classified as critical using vendor assessments and trusted security advisories
Cross-framework mappings
How E8-PO-ML3.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML3.3 requires organisations to apply critical operating system patches to non-internet-facing workstations, servers and network de... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (7) expand_less | ||
| ISM-1366 | ISM-1366 requires organisations to apply security updates to mobile devices as soon as updates become available | |
| ISM-1606 | ISM-1606 requires patches/updates/vendor mitigations to be applied in a timely manner to both the software isolation mechanism and the un... | |
| ISM-1695 | ISM-1695 mandates applying OS security patches for non-internet-facing workstations, servers and network devices within one month of release | |
| ISM-1876 | ISM-1876 requires applying critical patches for vulnerabilities in online services within 48 hours based on vendor criticality or the pre... | |
| ISM-1877 | ISM-1877 requires critical patching within 48 hours for operating systems on internet-facing servers and internet-facing network devices ... | |
| ISM-1878 | ISM-1878 mandates applying critical OS patches within 48 hours for IT equipment other than workstations, servers and network devices, bas... | |
| ISM-1902 | ISM-1902 requires organisations to apply non-critical operating system patches to non-internet-facing systems within one month when no wo... | |
| handshake Supports (7) expand_less | ||
| ISM-1605 | ISM-1605 requires the host operating system underpinning software-based isolation on shared servers to be hardened to reduce the likeliho... | |
| ISM-1643 | ISM-1643 requires software registers to record operating system versions and patch histories | |
| ISM-1702 | ISM-1702 requires organisations to run a vulnerability scanner fortnightly to identify missing operating system patches on non-internet-f... | |
| ISM-1800 | ISM-1800 requires network devices to begin operation with trusted firmware to avoid running compromised or tampered code | |
| ISM-1900 | ISM-1900 requires fortnightly vulnerability scanning to identify missing firmware patches or updates | |
| ISM-1921 | ISM-1921 requires organisations to frequently reassess compromise likelihood when working exploits exist for unmitigated vulnerabilities | |
| ISM-1981 | ISM-1981 requires replacement of non-internet-facing network devices that are no longer supported, reducing the number of devices that ca... | |
| extension Depends on (2) expand_less | ||
| ISM-0298 | E8-PO-ML3.3 requires critical OS patches on workstations, non-internet-facing servers and non-internet-facing network devices to be appli... | |
| ISM-1143 | E8-PO-ML3.3 mandates a time-bound outcome: critical OS vulnerabilities on internal systems are remediated via patches/updates/mitigations... | |
| link Related (1) expand_less | ||
| ISM-1696 | ISM-1696 requires critical patches, updates or vendor mitigations for operating systems on workstations, non-internet-facing servers and ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.