Non-critical OS patches applied within one month if no exploits exist
Apply OS patches on internal devices within a month if they aren't critical and have no known exploits.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Preventative
🛠️ E8 mitigation strategy
PO
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML3
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Source: ASD Essential Eight
Plain language
This control is about making sure your computers and devices are kept up-to-date with the latest patches, but only for non-critical issues. If there are no known ways hackers can exploit these issues, you have up to a month to apply these updates. Not updating could mean leaving your systems more vulnerable to new threats.
Why it matters
Delaying non-critical OS patches beyond one month can let attackers chain low-severity flaws into compromise, disrupting workstations and internal services.
Operational notes
Monitor vendor OS advisories weekly; confirm severity is non-critical and that no working exploits exist, then schedule deployment to all scoped assets within 30 days.
Implementation tips
- IT team should keep a regular schedule for checking updates by setting up reminders or using automated tools to ensure no update is missed within the monthly window.
- System administrators need to review which updates are released from software vendors. They should use vendor notifications or patch management tools to track this.
- Security officer should ensure that the risk assessments for patches are accurate by collaborating with vendors to understand the criticality of each update.
- IT personnel should document the patching process by maintaining a log of patches applied, including date and time, to ensure transparency and accountability.
Audit / evidence tips
-
Ask: How does the organisation determine which updates are applied within the month for non-critical vulnerabilities?
-
Good: The logs should show all non-critical updates applied within one month of their release, along with evidence of why they were classified as non-critical
Cross-framework mappings
How E8-PO-ML3.4 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.8 | E8-PO-ML3.4 requires a specific operational treatment of technical vulnerabilities: applying non-critical OS patches within one month for... | |
| Supports (1) | ||
| Annex A 5.7 | E8-PO-ML3.4 requires organisations to decide and act on non-critical OS patches within one month for internal systems when no working exp... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (6) | ||
| ISM-1694 | E8-PO-ML3.4 requires applying non-critical OS patches within one month for non-internet-facing workstations, servers and network devices ... | |
| ISM-1695 | ISM-1695 requires patches, updates or other vendor mitigations for OS vulnerabilities on workstations, non-internet-facing servers and no... | |
| ISM-1696 | E8-PO-ML3.4 sets a one-month patching requirement for non-critical OS vulnerabilities on non-internet-facing workstations/servers/network... | |
| ISM-1697 | ISM-1697 requires applying non-critical patches for driver vulnerabilities within one month when no working exploits exist | |
| ISM-1751 | E8-PO-ML3.4 requires non-critical OS patching within one month for workstations, non-internet-facing servers and non-internet-facing netw... | |
| ISM-1904 | ISM-1904 requires applying non-critical firmware patches within one month where no working exploits exist | |
| Supports (2) | ||
| ISM-0298 | E8-PO-ML3.4 requires applying non-critical OS patches within one month for non-internet-facing workstations, servers and network devices ... | |
| ISM-1702 | ISM-1702 requires fortnightly scanning to identify missing operating system patches on workstations, non-internet-facing servers, and non... | |
| Depends on (1) | ||
| ISM-1143 | E8-PO-ML3.4 requires organisations to execute a defined patching cadence and decision rule for non-critical OS vulnerabilities on interna... | |
| Related (1) | ||
| ISM-1902 | E8-PO-ML3.4 requires non-critical operating system patches for workstations, non-internet-facing servers and non-internet-facing network ... | |