Develop and Maintain Patch Management Procedures
Ensure patches for systems are regularly updated and processes are in place to manage this.
Plain language
Patch management is about keeping all your software and systems up-to-date with the latest fixes or updates provided by the software maker. This matters because outdated software can have security weaknesses, which hackers can exploit to steal information or disrupt your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patch management processes, and supporting patch management procedures, are developed, implemented and maintained.
Why it matters
Without structured patch management, known vulnerabilities remain exploitable, risking unauthorised access and potential data breaches.
Operational notes
Document patch procedures: roles, asset scope, SLAs by severity, testing/rollback and exceptions. Track patch status and audit compliance; use vendor advisories to prioritise.
Implementation tips
- IT team should create a patch schedule: The IT team needs to develop a regular timetable for checking and applying new patches. This can be done by setting up reminders or using software tools to automatically alert when updates are available.
- Business manager should allocate resources: To ensure effective patching, the business manager needs to allocate time and budget for the IT team to implement patches without delay. This can involve understanding the patch schedule and planning for any downtime needed.
- IT team should document patching procedures: The IT team should clearly outline each step of the patching process and who is responsible for each step. Writing down these procedures helps ensure everyone knows what to do and when to do it.
- System owners should review critical systems for patches: Each system owner must keep track of their systems and regularly check if there are vital updates or patches available. They can use manufacturer's websites or patch alerts as useful resources.
- Managers should ensure training and accountability: Managers should ensure that everyone involved in the patch management process is trained to understand its importance and has clear responsibilities. This can be done through regular training sessions and assigning clear patch management roles.
Audit / evidence tips
-
Askthe patch management schedule: Request to see the documented schedule that outlines when and how patches are applied
Goodincludes specific dates and names of responsible individuals
-
Askthe patching procedure document: Request the documented procedures that describe how patching is carried out
-
Askto see recent patch implementation records: Request recent records showing what patches were applied when, and by whom
-
Askevidence of training sessions: Request documentation of training sessions conducted for patch management
Goodincludes regular training sessions with all relevant personnel attending
-
Aska list of non-compliant systems: Request a list of any systems that are pending patches or updates
Goodlist will have explanations and plans to address the delay
Cross-framework mappings
How ISM-1143 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.19 | Annex A 8.19 requires procedures and measures to securely manage software installation on operational systems | |
| handshake Supports (2) expand_less | ||
| Annex A 8.8 | ISM-1143 requires organisations to develop and maintain patch management processes and procedures to ensure patches are applied in a cont... | |
| Annex A 8.32 | Annex A 8.32 establishes the need for change management for system changes | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| handshake Supports (5) expand_less | ||
| extension Depends on (9) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.