Ensure Use of Current OS Versions
Use the latest or previous operating system version to keep systems up-to-date.
Plain language
Keeping your computer systems up-to-date by using the latest or just the previous release of an operating system is like ensuring that your team has the best tools available. It matters because outdated systems can have vulnerabilities that are not fixed, making it easier for cybercriminals to break in and potentially cause damage or steal information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Operating system hardeningOfficial control statement
The latest release, or the previous release, of operating systems are used.
Why it matters
Using outdated OS versions leaves known vulnerabilities unpatched, increasing the likelihood of compromise and data breaches.
Operational notes
Maintain OS currency by standardising on the latest or previous release, tracking vendor lifecycle dates, and scheduling upgrades before end-of-support.
Implementation tips
- IT team should monitor system updates: They need to regularly check for new operating system versions released by vendors like Microsoft or Apple. This can be done by subscribing to vendor newsletters or setting up alerts on technology news sites.
- System owner should plan upgrades: Work with the IT team to create a schedule for upgrading systems to the latest stable version of the operating system. Consider doing this during low-usage periods to minimise disruption.
- Managers should allocate resources: Ensure enough time and budget is earmarked for regular operating system upgrades. This involves coordinating with finance to support any hardware compatibility needs.
- IT team should test updates: Before rolling out a new operating system version, the IT team should test it on a small group of computers to ensure compatibility with essential applications. Use testing labs or virtual environments to conduct these trials.
- Staff training should be conducted by education officers: Organise training sessions for staff to familiarise them with new features or changes in the updated operating system. Use user guides and webinars to assist with this.
Audit / evidence tips
- AskThe operating system update policy: Request a document that outlines the process for keeping systems up-to-date GoodClearly allocates responsibilities and provides a schedule
- AskThe upgrade schedule: Request to see the planned schedule for system upgrades GoodContains a timeline with completed and upcoming upgrades clearly marked
- AskTo see update notifications: Request the alerts or notifications from operating system vendors that the IT team receives GoodIncludes recent alerts about new releases
- AskThe change management log: Request a log of changes made to the operating systems, including updates GoodHas a well-documented record corresponding to the schedule
- AskTo interview IT staff: Conduct an interview to understand the process for handling system updates GoodIs consistent with documented policies and practices
Cross-framework mappings
How ISM-1407 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PO-ML1.5 | ISM-1407 requires organisations to stay on the latest or previous OS release to reduce exposure to known vulnerabilities and maintain ven... | |
| E8-PO-ML1.8 | ISM-1407 requires organisations to use only the latest or previous operating system releases | |
| link Related (1) expand_less | ||
| E8-PO-ML3.9 | E8-PO-ML3.9 requires organisations to use the latest release, or the previous release, of operating systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.