Apply non-critical driver patches within one month
Ensure drivers are updated within a month if the vulnerabilities are non-critical and no exploits exist.
Plain language
This control is about keeping your computer drivers updated with patches that fix known vulnerabilities, even though they are not critical. By doing so, you prevent potential security threats that could, over time, be exploited by cybercriminals. It's like fixing small leaks in your house before they become bigger problems.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Failure to patch non-critical drivers within one month can enable later exploitation if a vuln gains a working exploit.
Operational notes
Track non-critical driver patches and schedule deployment within one month to prevent backlog and drift.
Implementation tips
- IT team should regularly review vendor announcements. This can be done by subscribing to security bulletins on the manufacturer's website to stay informed about new non-critical driver patches.
- System administrators should schedule monthly updates. They can use automated patch management tools to ensure drivers are updated within one month of a patch release.
- Security officer should assess non-critical vulnerabilities. This involves evaluating vendor-provided information and ensuring there are no active exploits before classifying patches as non-critical.
- IT support staff should configure alerts in the system management tool. This helps them monitor for available patches and apply them promptly within the specified time frame.
Audit / evidence tips
-
AskHow often does the organisation check for driver updates?
GoodReviews occur at least monthly, with documented evidence of checks
-
AskHow are drivers updated?
GoodThe system is configured to automatically apply non-critical patches within one month
-
AskWhat criteria are used to assess the criticality of driver vulnerabilities?
GoodClear guidelines exist that align with vendor classifications and threat assessments
Cross-framework mappings
How E8-PO-ML3.6 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML3.6 requires organisations to apply non-critical driver patches within one month when no working exploits exist | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | E8-PO-ML3.6 requires organisations to patch non-critical driver vulnerabilities within one month when no working exploits exist | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1904 | ISM-1904 requires vendor firmware patches/updates/mitigations to be applied within one month when vulnerabilities are non-critical and th... | |
| extension Depends on (2) expand_less | ||
| ISM-0298 | E8-PO-ML3.6 requires organisations to apply vendor mitigations for non-critical driver vulnerabilities within one month where no working ... | |
| ISM-1143 | E8-PO-ML3.6 requires organisations to deploy non-critical driver patches within one month when no working exploits exist | |
| link Related (1) expand_less | ||
| ISM-1697 | ISM-1697 requires organisations to apply patches, updates or other vendor mitigations for non-critical driver vulnerabilities within one ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.