Ensure Use of Latest User Applications
Always use the latest versions of office software, browsers, and security tools to maintain safety.
Plain language
This control is about making sure you always use the latest versions of essential software like word processors, web browsers, and security tools. This matters because outdated software can have security holes that hackers might exploit, putting your business data at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningOfficial control statement
The latest release of office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are used.
Why it matters
Using outdated applications leaves critical vulnerabilities unpatched, giving attackers easy entry points into your organisation’s network.
Operational notes
Maintain an application inventory and enforce timely updates for office suites, browsers/extensions, email clients, PDF apps and security tools; verify auto-updates and patch status regularly.
Implementation tips
- The IT team should make a list of all software currently used by staff. This includes office programs, web browsers, email clients, and any security applications. They should regularly review this list and check for new updates or versions.
- Managers should communicate to staff the importance of keeping applications up to date. This can be done through a quick email or a meeting, explaining how updates can protect the organisation's data from cyber threats.
- Procurement officers should ensure that any new software purchased has a reputation for regularly releasing updates. They can do this by consulting software ratings and reviews before making a purchase decision.
- IT staff should set up systems for automatic updates where possible. For example, configuring office software and web browsers to update automatically as soon as a new version is available saves time and ensures updates are always applied.
- HR or management should include a section in employee onboarding about using and maintaining current software versions. This can be incorporated into initial training and reinforced with periodic reminders.
Audit / evidence tips
-
Askthe list of software currently in use: Request an up-to-date inventory of all software applications staff are using
Goodshows all software is at the latest version or scheduled for update
-
Askto see system update logs or records: Request logs showing recent updates for key software like browsers and office apps
Goodshows consistent updates with no significant delays
-
Askcommunication records about updates: Request memos or emails sent to staff regarding software updates
Goodincludes periodic, clear communication supporting the update policy
-
Asktraining materials covering software updates: Request documents or presentations used during staff onboarding or training sessions
Goodincludes understandable materials focused on the importance of updates
-
Askabout the automatic update settings: Request information or a demonstration of the organisation's systems configured for automatic updates
Goodshows most, if not all, systems set to update automatically
Cross-framework mappings
How ISM-1467 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PA-ML1.9 | ISM-1467 requires organisations to ensure the latest releases of office suites, web browsers and extensions, email clients, PDF applicati... | |
| E8-PA-ML3.1 | ISM-1467 requires organisations to use the latest releases of key user applications and security products to reduce exposure to known wea... | |
| E8-PA-ML3.2 | ISM-1467 requires organisations to use the latest releases of core user applications (office suites, browsers and extensions, email clien... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML1.4 | ISM-1467 requires organisations to ensure the latest releases of specified user applications and security products are used | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.