ISM-0298 policy ASD Information Security Manual (ISM)

Centralised System Patch and Update Management

Ensure patches and updates are applied correctly using a centralised system for better security.

Preventative NC OS P ASD Information Security ManualGuidelines for system management vulnerability management policy

record_voice_over

Plain language

This control means that all your computers and systems should get updated in a systematic way from a central point. It's important because if these updates aren't managed properly, your business could be open to attacks that could harm your sensitive data or disrupt your operations.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Feb 2022

Control Stack last updated

18 May 2026

E8 maturity levels

N/A

Guideline

Guidelines for system management

Section

System patching

Topic

Patch Management Processes and Procedures

Official control statement

A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware.

policy ASD Information Security Manual (ISM) ISM-0298

priority_high

Why it matters

Without a centralised patch and update process, patching becomes inconsistent, leaving unpatched OS, apps, drivers or firmware exposed to known vulnerabilities and outages.

settings

Operational notes

Use a centralised patch service to source trusted updates, verify integrity/signatures, deploy to OS, apps, drivers and firmware, and centrally confirm success and exceptions.

02 - Implement

build

Implementation tips

IT team should set up a centralised update platform: Choose and configure a software that can handle system updates for the entire organisation. This software will automatically distribute and apply patches to all computers, reducing the risk of missing any important updates.
Managers should ensure staff compliance with update schedules: Communicate with staff about scheduled update times and ensure their devices are powered on and connected to the network during these times. This minimises the chance of devices missing critical updates.
System owners should regularly review update logs: Check the centralised update platform for logs that detail which systems received updates and which did not. This helps identify any systems that might have missed updates and need manual intervention.
IT team should conduct regular tests of the update process: Periodically verify the update process on sample systems to ensure updates are applied correctly. This involves observing the update installation on a test device and confirming system operation post-update.
Management should develop a patch management policy: Create a written document detailing the update process, responsibilities, and protocols for dealing with failed updates. Ensure this policy is easily accessible to all relevant staff and regularly reviewed.

03 - Audit

fact_check

Audit / evidence tips

AskThe update logs from the centralised platform: Request logs showing all recent updates applied to the organisation’s systems GoodIncludes complete logs with no errors or skipped updates
GoodIs a detailed explanation of the centralised system, coverage of all devices, and monitoring statements
AskTo observe when the IT team performs a system update across the network GoodIs a smooth deployment with all systems reporting back as updated
GoodIncludes a current document with management's sign-off
AskEvidence of manual intervention when updates fail: Check records showing how failures were handled. This should include error logs and subsequent tasks to resolve issues GoodIncludes detailed follow-ups and successful resolutions

04 - Mappings

link

Cross-framework mappings

How ISM-0298 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.8	ISM-0298 mandates centralised patch management with integrity and successful application verification
sync_alt Partially overlaps (1) expand_less
Annex A 7.13	Annex A 7.13 mandates correct maintenance of equipment to ensure the availability, integrity, and confidentiality of information

E8

Control	Notes	Details
sync_alt Partially overlaps (2) expand_less

E8-AC-ML3.3	E8-AC-ML3.3 requires implementing Microsoft’s vulnerable driver blocklist to prevent execution of known vulnerable drivers

E8-PO-ML1.8	E8-PO-ML1.8 requires organisations to replace operating systems that are no longer supported by vendors
handshake Supports (14) expand_less

E8-PA-ML1.3	E8-PA-ML1.3 requires daily scanning to identify missing patches or updates for vulnerabilities in online services
E8-PA-ML1.4	E8-PA-ML1.4 requires weekly vulnerability scanning to identify missing patches or updates in key software categories
E8-PA-ML1.5	E8-PA-ML1.5 requires critical patches or vendor mitigations for online services to be applied within 48 hours
E8-PA-ML1.6	E8-PA-ML1.6 requires timely application of non-critical patches for vulnerabilities in online services within two weeks when no working e...
E8-PA-ML1.9	E8-PA-ML1.9 requires removal of specified software products once they are no longer supported by the vendor
E8-PA-ML2.1	E8-PA-ML2.1 requires fortnightly vulnerability scanning to identify missing patches for non-core applications
E8-PA-ML3.1	E8-PA-ML3.1 requires rapid deployment of patches/mitigations within 48 hours for critical or exploited vulnerabilities in high-risk end-u...

E8-PO-ML1.3	E8-PO-ML1.3 requires daily scanning of internet-facing servers and network devices to identify missing OS patches or updates
E8-PO-ML1.4	E8-PO-ML1.4 requires fortnightly vulnerability scanning to identify missing OS patches on internal systems
E8-PO-ML3.1	E8-PO-ML3.1 requires fortnightly vulnerability scanning to identify missing driver patches or updates
E8-PO-ML3.2	E8-PO-ML3.2 requires organisations to run fortnightly vulnerability scanning to find missing firmware patches and updates
E8-PO-ML3.4	E8-PO-ML3.4 requires that organisations achieve timely OS patching (within one month) for specific internal device classes when vulnerabi...
E8-PO-ML3.8	E8-PO-ML3.8 requires applying firmware vulnerability patches/mitigations within one month under specified conditions (non-critical and no...
E8-PO-ML3.9	E8-PO-ML3.9 requires organisations to keep operating systems on the latest or previous release
extension Depends on (6) expand_less

E8-PA-ML2.2	E8-PA-ML2.2 requires patches, updates or other mitigations for vulnerabilities in non-critical applications to be applied within one mont...

E8-PO-ML1.5	E8-PO-ML1.5 requires organisations to apply critical patches to internet-facing operating systems on servers and network devices within 4...
E8-PO-ML3.3	E8-PO-ML3.3 requires critical OS patches on workstations, non-internet-facing servers and non-internet-facing network devices to be appli...
E8-PO-ML3.5	E8-PO-ML3.5 requires critical driver patches to be applied within 48 hours of release when rated critical or when exploits exist
E8-PO-ML3.6	E8-PO-ML3.6 requires organisations to apply vendor mitigations for non-critical driver vulnerabilities within one month where no working ...
E8-PO-ML3.7	E8-PO-ML3.7 requires organisations to apply critical firmware patches within 48 hours when vendor criticality or working exploits indicat...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.