Centralised System Patch and Update Management
Ensure patches and updates are applied correctly using a centralised system for better security.
Plain language
This control means that all your computers and systems should get updated in a systematic way from a central point. It's important because if these updates aren't managed properly, your business could be open to attacks that could harm your sensitive data or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware.
Why it matters
Without a centralised patch and update process, patching becomes inconsistent, leaving unpatched OS, apps, drivers or firmware exposed to known vulnerabilities and outages.
Operational notes
Use a centralised patch service to source trusted updates, verify integrity/signatures, deploy to OS, apps, drivers and firmware, and centrally confirm success and exceptions.
Implementation tips
- IT team should set up a centralised update platform: Choose and configure a software that can handle system updates for the entire organisation. This software will automatically distribute and apply patches to all computers, reducing the risk of missing any important updates.
- Managers should ensure staff compliance with update schedules: Communicate with staff about scheduled update times and ensure their devices are powered on and connected to the network during these times. This minimizes the chance of devices missing critical updates.
- System owners should regularly review update logs: Check the centralised update platform for logs that detail which systems received updates and which did not. This helps identify any systems that might have missed updates and need manual intervention.
- IT team should conduct regular tests of the update process: Periodically verify the update process on sample systems to ensure updates are applied correctly. This involves observing the update installation on a test device and confirming system operation post-update.
- Management should develop a patch management policy: Create a written document detailing the update process, responsibilities, and protocols for dealing with failed updates. Ensure this policy is easily accessible to all relevant staff and regularly reviewed.
Audit / evidence tips
-
Askthe update logs from the centralised platform: Request logs showing all recent updates applied to the organisation’s systems
Goodincludes complete logs with no errors or skipped updates
-
Goodis a detailed explanation of the centralised system, coverage of all devices, and monitoring statements
-
Askto observe when the IT team performs a system update across the network
Goodis a smooth deployment with all systems reporting back as updated
-
Goodincludes a current document with management's sign-off
-
Askevidence of manual intervention when updates fail: Check records showing how failures were handled. This should include error logs and subsequent tasks to resolve issues
Goodincludes detailed follow-ups and successful resolutions
Cross-framework mappings
How ISM-0298 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-0298 mandates centralised patch management with integrity and successful application verification | |
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 7.13 | Annex A 7.13 mandates correct maintenance of equipment to ensure the availability, integrity, and confidentiality of information | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| handshake Supports (14) expand_less | ||
| extension Depends on (6) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.