Ensure Timely Security Updates for Mobile Devices
Apply security updates to mobile devices immediately upon availability to prevent security breaches.
Plain language
This control is about making sure we update our mobile devices with the latest security fixes as soon as they're available. If we don't, we risk leaving our devices open to hackers who can exploit these security holes to access or steal our data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for enterprise mobilitySection
Mobile device managementOfficial control statement
Security updates are applied to mobile devices as soon as they become available.
Why it matters
Neglected mobile device updates can expose sensitive data to attackers exploiting known vulnerabilities, leading to data breaches and reputational damage.
Operational notes
Enable automatic OS/app updates via MDM and monitor compliance so mobile devices install security updates as soon as released.
Implementation tips
- The IT team should set up alerts: Configure systems that notify the team immediately when a new security update for any mobile device is released. Use software that automatically checks for updates daily and sends an alert via email or an app notification.
- Business managers should plan: Allocate time each week for IT staff to apply these updates without disrupting business operations. Schedule update sessions during off-peak hours to minimise impact on staff productivity.
- The IT team should document everything: When an update is applied, record the date, time, and any issues encountered. Use a simple spreadsheet or a dedicated software tool for tracking this information.
- Train all employees: Organise a training session to explain the importance of security updates and how delays can lead to data theft or downtime. Use real-world examples of breaches due to unpatched devices.
- Review settings regularly: The IT team should check that all mobile devices are set to automatically accept updates if supported. This involves going into each device’s settings and toggling the auto-update feature.
Audit / evidence tips
- AskThe update records: Request the logs or reports that show when updates were applied to mobile devices GoodShows updates are applied immediately upon release, with minimal delay
- GoodResult shows these settings are consistently activated across devices
- AskThe alert system proof: Verify that the IT team has mechanisms in place for receiving update alerts. Check for configurations in monitoring software or email alert systems. Good practice is frequent and reliable update notifications
- GoodPolicy is comprehensive, clear, and actively adhered to
Cross-framework mappings
How ISM-1366 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PA-ML3.1 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| E8-PA-ML3.2 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| E8-PO-ML3.3 | ISM-1366 requires organisations to apply security updates to mobile devices as soon as updates become available | |
| handshake Supports (1) expand_less | ||
| E8-PO-ML1.8 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.