The latest or previous OS release is used
Ensure your operating system is up-to-date with the latest or previous version.
Plain language
Keeping your operating system on the latest or one version behind ensures it's protected against known security threats. If you don't keep up with updates, cybercriminals could exploit vulnerabilities to gain unauthorised access to your data.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
The latest release, or the previous release, of operating systems are used.
Why it matters
Using unsupported OS releases increases exposure to known vulnerabilities, enabling compromise and unauthorised access to sensitive data.
Operational notes
Regularly audit endpoints and servers to confirm they run the latest or previous OS release, and schedule upgrades before vendor support ends.
Implementation tips
- IT team should ensure all computers are running the latest or the previous version of their operating system by scheduling regular updates and confirming rollouts are successful.
- System administrators need to verify the operating system version on a quarterly basis by reviewing system update logs and cross-checking with current vendor releases.
- The IT manager should set up automatic notifications for new operating system releases so they can plan for updates promptly.
- Security officers should implement a policy to replace any devices that can no longer support the latest or previous operating system version.
- System administrators should regularly back up systems before performing operating system updates to prevent data loss during the update process.
Audit / evidence tips
- AskWhich operating system versions are currently in use across the organisation?
- GoodThe organisation uses the latest or previous operating system release for all devices
- AskHow does the organisation stay informed about new operating system releases?
- GoodThe organisation receives vendor notifications and has policies for timely updates
Cross-framework mappings
How E8-PO-ML3.9 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1483 | ISM-1483 requires internet-facing server applications to be kept at their latest release | |
| ISM-1501 | E8-PO-ML3.9 requires organisations to use the latest or previous OS release | |
| ISM-1848 | E8-PO-ML3.9 requires organisations to use the latest or previous OS release | |
| handshake Supports (4) expand_less | ||
| ISM-0298 | E8-PO-ML3.9 requires organisations to keep operating systems on the latest or previous release | |
| ISM-1408 | ISM-1408 requires organisations to use 64-bit versions of operating systems where supported | |
| ISM-1409 | ISM-1409 requires operating systems to be hardened using ASD and vendor hardening guidance, applying the most restrictive settings where ... | |
| ISM-1605 | ISM-1605 requires that the underlying host operating system is hardened when using software-based isolation to share physical server hard... | |
| link Related (1) expand_less | ||
| ISM-1407 | E8-PO-ML3.9 requires organisations to use the latest release, or the previous release, of operating systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.