ISM-0298 ASD Information Security Manual (ISM)

Centralised System Patch and Update Management

Ensure patches and updates are applied correctly using a centralised system for better security.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET Vulnerability management Equipment maintenance ASD Information Security Manual Governance

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Feb 2022

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system management

Section

System patching

Topic

Patch Management Processes and Procedures

Official control statement

A centralised and managed approach that maintains the integrity of patches or updates, and confirms that they have been applied successfully, is used to patch or update applications, operating systems, drivers and firmware.

Source: ASD Information Security Manual (ISM)

Plain language

This control means that all your computers and systems should get updated in a systematic way from a central point. It's important because if these updates aren't managed properly, your business could be open to attacks that could harm your sensitive data or disrupt your operations.

Why it matters

Without a centralised patch and update process, patching becomes inconsistent, leaving unpatched OS, apps, drivers or firmware exposed to known vulnerabilities and outages.

Operational notes

Use a centralised patch service to source trusted updates, verify integrity/signatures, deploy to OS, apps, drivers and firmware, and centrally confirm success and exceptions.

Implementation tips

IT team should set up a centralised update platform: Choose and configure a software that can handle system updates for the entire organisation. This software will automatically distribute and apply patches to all computers, reducing the risk of missing any important updates.
Managers should ensure staff compliance with update schedules: Communicate with staff about scheduled update times and ensure their devices are powered on and connected to the network during these times. This minimizes the chance of devices missing critical updates.
System owners should regularly review update logs: Check the centralised update platform for logs that detail which systems received updates and which did not. This helps identify any systems that might have missed updates and need manual intervention.
IT team should conduct regular tests of the update process: Periodically verify the update process on sample systems to ensure updates are applied correctly. This involves observing the update installation on a test device and confirming system operation post-update.
Management should develop a patch management policy: Create a written document detailing the update process, responsibilities, and protocols for dealing with failed updates. Ensure this policy is easily accessible to all relevant staff and regularly reviewed.

Audit / evidence tips

Ask: the update logs from the centralised platform: Request logs showing all recent updates applied to the organisation’s systems

Good: includes complete logs with no errors or skipped updates
Good: is a detailed explanation of the centralised system, coverage of all devices, and monitoring statements
Ask: to observe when the IT team performs a system update across the network

Good: is a smooth deployment with all systems reporting back as updated
Good: includes a current document with management's sign-off
Ask: evidence of manual intervention when updates fail: Check records showing how failures were handled. This should include error logs and subsequent tasks to resolve issues

Good: includes detailed follow-ups and successful resolutions

Cross-framework mappings

How ISM-0298 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.8	ISM-0298 mandates centralised patch management with integrity and successful application verification
Partially overlaps (1)
Annex A 7.13	Annex A 7.13 mandates correct maintenance of equipment to ensure the availability, integrity, and confidentiality of information

E8

Control	Notes	Details
Partially overlaps (1)

E8-AC-ML3.3	E8-AC-ML3.3 requires organisations to implement Microsoft’s vulnerable driver blocklist to prevent vulnerable drivers running
Supports (10)

E8-PA-ML1.3	E8-PA-ML1.3 requires daily scanning to identify missing patches or updates for vulnerabilities in online services
E8-PA-ML1.5	E8-PA-ML1.5 requires organisations to apply critical online service patches/mitigations within 48 hours when assessed as critical or expl...
E8-PA-ML2.1	E8-PA-ML2.1 requires fortnightly vulnerability scanning to identify missing patches for non-core applications
E8-PA-ML3.1	E8-PA-ML3.1 requires rapid deployment of patches/mitigations within 48 hours for critical or exploited vulnerabilities in high-risk end-u...

E8-PO-ML1.4	E8-PO-ML1.4 requires fortnightly vulnerability scanning to identify missing OS patches on internal systems
E8-PO-ML1.8	E8-PO-ML1.8 focuses on the replacement of unsupported operating systems
E8-PO-ML3.1	E8-PO-ML3.1 requires organisations to run fortnightly vulnerability scanning to find missing driver patches or updates
E8-PO-ML3.2	E8-PO-ML3.2 requires organisations to use a vulnerability scanner at least fortnightly to identify missing firmware patches or updates
E8-PO-ML3.4	E8-PO-ML3.4 requires applying non-critical OS patches within one month for non-internet-facing workstations, servers and network devices ...
E8-PO-ML3.9	E8-PO-ML3.9 requires organisations to keep operating systems on the latest or previous release
Depends on (3)

E8-PO-ML1.5	E8-PO-ML1.5 requires rapid application (within 48 hours) of critical patches to internet-facing server and network device operating systems
E8-PO-ML3.5	E8-PO-ML3.5 requires critical driver patches to be applied within 48 hours of release when rated critical or when exploits exist
E8-PO-ML3.8	E8-PO-ML3.8 requires timely application of non-critical firmware patches within one month under defined conditions
Related (2)

E8-PO-ML3.3	ISM-0298 requires a centralised, managed patch/update approach that preserves patch integrity and verifies successful application across ...
E8-PO-ML3.6	ISM-0298 mandates centralised patching with integrity and success verification across drivers, firmware, OS, and apps