Apply critical firmware patches within 48 hours
Ensure firmware vulnerabilities are fixed quickly, within 48 hours if critical.
Plain language
This control is about fixing critical security problems in the firmware of your equipment within 48 hours. If these updates aren't applied quickly, cybercriminals could exploit these weaknesses to access sensitive data or disrupt your business. Applying these patches promptly helps keep your systems secure.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delaying critical firmware patches beyond 48 hours can leave devices exposed to known exploits, enabling compromise and disruption of services.
Operational notes
Track vendor firmware advisories and exploit intel; prioritise critical updates and apply within 48 hours, with testing and rollback plans for devices.
Implementation tips
- IT team should monitor firmware updates daily by subscribing to vendor security newsletters or alerts, ensuring they are aware of any newly released critical updates.
- System administrator needs to create a process to apply critical firmware updates within 48 hours by setting up automated alerts when critical patches are released and scheduling immediate maintenance windows.
- Security officer should prioritise the review and application of firmware patches by assessing the patch's criticality using trusted security advisories, ensuring a focus on those with working exploits.
- Office manager should ensure that all key IT staff are trained and aware of the importance of timely firmware patching by organising regular training sessions and drills.
- IT team should have a backup plan ready before applying new firmware updates by performing system backups to avoid data loss if there is an issue with the update.
Audit / evidence tips
-
AskHow does your organisation track and receive notifications about new critical firmware updates?
GoodThe organisation subscribes to multiple vendor alerts and cybersecurity bulletins for timely notifications
-
AskWhat is the process for applying critical firmware updates within 48 hours?
GoodThere is a documented procedure that includes steps for immediate application of updates upon release
-
AskHow do you ensure that updates are applied correctly and promptly across all devices?
GoodLogs show updates being applied within the required timeframe for all critical releases
Cross-framework mappings
How E8-PO-ML3.7 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1697 | ISM-1697 requires applying non-critical driver patches within one month when no working exploits exist | |
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
| ISM-1876 | ISM-1876 requires critical patches or mitigations for vulnerabilities in online services within 48 hours when vendors rate them critical ... | |
| ISM-1904 | ISM-1904 requires applying firmware patches within one month when vulnerabilities are non-critical and no working exploits exist | |
| handshake Supports (1) expand_less | ||
| ISM-1921 | ISM-1921 requires frequent assessment of compromise likelihood when working exploits exist for unmitigated vulnerabilities | |
| extension Depends on (2) expand_less | ||
| ISM-0298 | E8-PO-ML3.7 requires organisations to apply critical firmware patches within 48 hours when vendor criticality or working exploits indicat... | |
| ISM-1143 | E8-PO-ML3.7 requires organisations to apply critical firmware patches or mitigations within 48 hours when vendor criticality or working e... | |
| link Related (1) expand_less | ||
| ISM-1903 | E8-PO-ML3.7 requires organisations to apply critical firmware patches (or vendor mitigations) within 48 hours when rated critical by the ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.