Non-critical OS patches applied within one month if no exploits exist
Apply OS patches on internal devices within a month if they aren't critical and have no known exploits.
Plain language
This control is about making sure your computers and devices are kept up-to-date with the latest patches, but only for non-critical issues. If there are no known ways hackers can exploit these issues, you have up to a month to apply these updates. Not updating could mean leaving your systems more vulnerable to new threats.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Delaying non-critical OS patches beyond one month can let attackers chain low-severity flaws into compromise, disrupting workstations and internal services.
Operational notes
Monitor vendor OS advisories weekly; confirm severity is non-critical and that no working exploits exist, then schedule deployment to all scoped assets within 30 days.
Implementation tips
- IT team should keep a regular schedule for checking updates by setting up reminders or using automated tools to ensure no update is missed within the monthly window.
- System administrators need to review which updates are released from software vendors. They should use vendor notifications or patch management tools to track this.
- Security officer should ensure that the risk assessments for patches are accurate by collaborating with vendors to understand the criticality of each update.
- IT personnel should document the patching process by maintaining a log of patches applied, including date and time, to ensure transparency and accountability.
Audit / evidence tips
- AskHow does the organisation determine which updates are applied within the month for non-critical vulnerabilities?
- GoodThe logs should show all non-critical updates applied within one month of their release, along with evidence of why they were classified as non-critical
Cross-framework mappings
How E8-PO-ML3.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML3.4 requires a specific operational treatment of technical vulnerabilities: applying non-critical OS patches within one month for... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | E8-PO-ML3.4 requires organisations to decide and act on non-critical OS patches within one month for internal systems when no working exp... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-1694 | E8-PO-ML3.4 requires applying non-critical OS patches within one month for non-internet-facing workstations, servers and network devices ... | |
| ISM-1696 | E8-PO-ML3.4 sets a one-month patching requirement for non-critical OS vulnerabilities on non-internet-facing workstations/servers/network... | |
| ISM-1697 | ISM-1697 requires applying non-critical patches for driver vulnerabilities within one month when no working exploits exist | |
| ISM-1751 | E8-PO-ML3.4 requires non-critical OS patching within one month for workstations, non-internet-facing servers and non-internet-facing netw... | |
| ISM-1904 | E8-PO-ML3.4 requires applying non-critical operating system patches within one month on internal workstations, non-internet-facing server... | |
| handshake Supports (2) expand_less | ||
| ISM-0298 | E8-PO-ML3.4 requires that organisations achieve timely OS patching (within one month) for specific internal device classes when vulnerabi... | |
| ISM-1702 | ISM-1702 requires fortnightly scanning to identify missing operating system patches on workstations, non-internet-facing servers, and non... | |
| extension Depends on (1) expand_less | ||
| ISM-1143 | E8-PO-ML3.4 requires a defined operational outcome: non-critical, non-exploited OS vulnerabilities on internal devices are patched within... | |
| link Related (2) expand_less | ||
| ISM-1695 | E8-PO-ML3.4 requires applying operating system patches on workstations, non-internet-facing servers and non-internet-facing network devic... | |
| ISM-1902 | E8-PO-ML3.4 requires patches, updates or vendor mitigations for non-critical OS vulnerabilities (with no working exploits) to be applied ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.