Apply System Security Patches with Approval
Security patches for critical IT must be approved and applied as directed by ASD.
Plain language
This control is about making sure that important security updates for IT systems are properly approved and applied. This matters because if critical systems don't get timely updates, they could be exposed to cyber attacks or data breaches, leading to significant business disruption and loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in high assurance IT equipment are applied only when approved by ASD, and in doing so, using methods and timeframes prescribed by ASD.
Why it matters
Applying patches to high assurance equipment without ASD approval or prescribed timeframes can cause outages, weaken assurance and leave critical vulnerabilities exploitable.
Operational notes
Coordinate with ASD for patch/mitigation approval for high assurance equipment; implement changes only via ASD-prescribed methods and within mandated timeframes.
Implementation tips
- System Owner should understand ASD's guidelines: Identify which of your systems are categorised as high assurance by leveraging the Australian Signals Directorate's recommendations. Stay informed about the specific procedures ASD requires for any updates.
- IT Team should prepare a patch management plan: Draft a clear plan that outlines how and when system patches will be reviewed, approved, and applied based on ASD's schedule. Make sure this plan includes steps to follow up in case of any issues during updates.
- Authorising Officer should approve updates: Ensure the person responsible for approving updates has all relevant information about the patches and understands the risks of delay. They should sign off either via email or a form on each patch's application.
- IT Team should schedule and apply patches: Once patches are approved, the IT team should ensure they are applied within the timeframe given by ASD. Maintain a log of applied patches, including dates and any issues encountered for future reference.
- Someone should monitor the outcomes: Designate someone within the IT team to verify that patches are applied successfully and systems function as expected post-update. Use feedback mechanisms to quickly identify and rectify any problems.
Audit / evidence tips
- AskThe organisation's patch management policy: Look to see if it mentions ASD's approval requirements for high assurance IT systems GoodIncludes references to ASD guidelines and documentation showing understanding of required approval processes
- GoodRecord should have clear approval notations and show dates patches were applied
- AskThem to explain the steps they follow for applying patches approved by ASD GoodIncludes detail on how they adhere to ASD methods and timeframes for applying updates
- GoodIncludes documented checks or test results after updates
- AskAudit logs or systems reviewed for patches GoodResult is seeing regular entries marking when patches were reviewed and applied
Cross-framework mappings
How ISM-0300 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.32 | ISM-0300 requires an explicit approval mechanism (ASD) and prescribed processes/timeframes before implementing patches or mitigations on ... | |
| link Related (1) expand_less | ||
| Annex A 8.8 | Annex A 8.8 requires the organisation to obtain vulnerability information, assess exposure and apply appropriate treatments, including pa... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PO-ML3.5 | ISM-0300 requires that patches, updates or vendor mitigations for vulnerabilities in high assurance IT equipment are only applied when ap... | |
| E8-PO-ML3.8 | ISM-0300 requires that vulnerabilities in high assurance IT equipment are remediated via patches/updates/mitigations only when approved b... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.