Apply critical driver patches within 48 hours
Ensure critical security updates for drivers are applied within 48 hours to prevent exploitation.
Plain language
This control ensures that any critical updates or patches needed for drivers-software that helps your computer's hardware function properly-are applied quickly, within 48 hours. If you don't do this, your computer systems might be left open to attacks, as hackers can take advantage of these weaknesses to cause damage or steal information.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
18 May 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delaying critical driver patches can allow kernel-level exploits, enabling privilege escalation, full system takeover and outages.
Operational notes
Track driver vendor advisories daily; if rated critical or exploited, prioritise testing and deploy patches across all endpoints within 48 hours.
Implementation tips
- The IT team should monitor updates from driver vendors regularly to identify critical patches as soon as they're released. Set up alerts or subscribe to notifications from vendors to stay informed.
- System administrators need to quickly apply any critical patches to drivers. Use automated tools or software management solutions to streamline this process and ensure timely updates.
- A security officer should assess the importance of each driver update when it is released to confirm it is marked critical. This can involve checking security bulletins or vendor notifications for severity ratings.
- The IT team should maintain a schedule for regular scanning of systems to ensure no critical patches are missed. Utilise a vulnerability scanner to automate these checks and ensure compliance with this control.
Audit / evidence tips
- AskHow does the organisation track the release of critical driver updates?
- GoodNotifications are actively monitored and critical updates are applied within 48 hours
- AskHow does the team ensure critical patches are applied promptly to all systems?
- GoodEvidence of patches installed within the required 48-hour timeframe is demonstrated in patch logs
Cross-framework mappings
How E8-PO-ML3.5 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML3.5 requires a specific vulnerability treatment action: apply critical driver patches (or mitigations) within 48 hours when rated... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | E8-PO-ML3.5 requires organisations to apply critical driver patches within 48 hours based on vendor criticality or known working exploits | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0300 | ISM-0300 requires that patches, updates or vendor mitigations for vulnerabilities in high assurance IT equipment are only applied when ap... | |
| ISM-1697 | ISM-1697 requires organisations to apply vendor mitigations for driver vulnerabilities within one month when they are assessed as non-cri... | |
| handshake Supports (2) expand_less | ||
| ISM-1163 | E8-PO-ML3.5 requires applying critical driver patches within 48 hours when vendors rate them critical or exploits exist | |
| ISM-1921 | ISM-1921 requires organisations to frequently reassess compromise likelihood when working exploits exist for unmitigated vulnerabilities | |
| extension Depends on (2) expand_less | ||
| ISM-0298 | E8-PO-ML3.5 requires critical driver patches to be applied within 48 hours of release when rated critical or when exploits exist | |
| ISM-1143 | E8-PO-ML3.5 requires organisations to patch critical driver vulnerabilities within 48 hours under defined trigger conditions | |
| link Related (2) expand_less | ||
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
| ISM-1879 | E8-PO-ML3.5 requires organisations to apply vendor patches or mitigations for critical driver vulnerabilities within 48 hours (or when wo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.