Firmware vulnerabilities patched within one month if non-critical and no exploits
Apply patches for non-critical firmware vulnerabilities within a month if no exploits exist.
Plain language
This control is about making sure that any weaknesses found in your computer's core software, known as firmware, are fixed within a month if they aren't urgent and no one has figured out how to exploit them yet. If you don't patch these weaknesses, hackers might find a way to attack your systems down the line, putting your business at risk.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
If non-critical firmware fixes are delayed beyond one month, new exploits may emerge, leaving devices exposed and risking outages or integrity compromise.
Operational notes
Track firmware vendor advisories and exploit status; for non-critical issues with no working exploit, schedule and apply patches/mitigations within 30 days.
Implementation tips
- IT team should review firmware updates monthly. Do this by checking the manufacturer's website or firmware update tools for announcements.
- IT team should assess the criticality of each firmware vulnerability. Use vendor guidance to determine if a vulnerability is considered non-critical.
- System administrator should apply available firmware patches. Follow the vendor's instructions to ensure the update is applied correctly and documented.
- Security officer should maintain a schedule for regular firmware updates. Set reminders each month to check for and apply any pending updates.
- IT team should monitor for news of exploits related to firmware. Use security bulletins from trusted sources to stay informed about any new threats.
Audit / evidence tips
- AskWhat is your process for checking and applying firmware updates?
- GoodThe organisation should present a detailed update schedule showing monthly checks, assessments, and application of non-critical firmware patches
- AskHow do you determine if a firmware vulnerability is non-critical?
- GoodThe organisation should have a documented process that aligns with vendor severity ratings and exploit status checks
Cross-framework mappings
How E8-PO-ML3.8 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML3.8 requires a specific action: apply vendor mitigations for non-critical firmware vulnerabilities within one month when no worki... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-0300 | ISM-0300 requires that vulnerabilities in high assurance IT equipment are remediated via patches/updates/mitigations only when approved b... | |
| ISM-1697 | ISM-1697 requires organisations to apply non-critical patches for driver vulnerabilities within one month when no working exploits exist | |
| ISM-1903 | E8-PO-ML3.8 requires organisations to apply vendor mitigations for non-critical firmware vulnerabilities within one month when there are ... | |
| handshake Supports (4) expand_less | ||
| ISM-0298 | E8-PO-ML3.8 requires applying firmware vulnerability patches/mitigations within one month under specified conditions (non-critical and no... | |
| ISM-1143 | E8-PO-ML3.8 requires organisations to apply non-critical firmware vulnerability patches within one month when no working exploits exist | |
| ISM-1163 | E8-PO-ML3.8 requires timely remediation of non-critical firmware vulnerabilities within one month when no exploits exist | |
| ISM-1900 | E8-PO-ML3.8 requires organisations to remediate non-critical firmware vulnerabilities within one month when no working exploits exist | |
| link Related (1) expand_less | ||
| ISM-1904 | E8-PO-ML3.8 requires patches, updates, or vendor mitigations for non-critical firmware vulnerabilities to be applied within one month whe... | |
ISO 42001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 6.2.6 | Annex A 6.2.6 requires documented processes for operating and maintaining the AI system, including updates and repairs | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.