Ensure Use of Latest Server Application Releases
Keep server applications updated to their latest release for better security against internet threats.
Plain language
Keeping your server software updated is like making sure you've locked all the doors before going to bed. If you don't, cyber crooks can sneak in through security gaps and cause serious harm to your business, like stealing sensitive information or ruining your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The latest release of internet-facing server applications are used.
Why it matters
Outdated internet-facing server applications leave known vulnerabilities unpatched, enabling rapid exploitation and system compromise.
Operational notes
Maintain an inventory of internet-facing server apps and enable vendor update/patching to keep them on the latest stable release.
Implementation tips
- IT team should regularly schedule updates: Assign a dedicated IT staff member to check for new versions of server applications every month. This involves visiting the software provider's website or using built-in software update tools to identify and apply any available updates.
- System owners should maintain an update log: Keep a detailed record of all updates applied to the server applications. This helps track what changes were made and ensures updates are consistent.
-
Askthem to provide updates via email or a newsletter
- IT team should test updates in a safe environment first: Before applying updates to the main server, test them in a controlled setting to ensure they don't interfere with existing operations. This reduces the risk of disruptions.
- Managers should develop an update policy: Create a company policy that outlines the importance of regular software updates and assigns responsibilities. This policy should be shared with both IT staff and management to ensure everyone understands their role.
Audit / evidence tips
-
Askthe server application update log: Request documentation that shows a history of software updates applied to server applications
Goodwould include a regularly updated log with noted dates and versions
-
Askcommunication records with software vendors: Request any emails or newsletters from software vendors regarding updates
Goodarrangement will include prompt communication whenever an update is available
-
Askthe update testing documentation: Review records showing updates were tested in a non-operational environment before deployment
Goodincludes thorough testing results and approval for deployment
-
Askabout the update policy: Request the document outlining the organisation's update policy
-
Askthe schedule of update checks: Request the calendar or schedule that outlines when updates are checked and applied
Goodschedule shows consistent, monthly checks recorded over time
Cross-framework mappings
How ISM-1483 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | ISM-1483 requires internet-facing server applications to be kept on their latest release to address known vulnerabilities | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PA-ML1.5 | ISM-1483 requires internet-facing server applications to use the latest release, reducing risk from vulnerabilities addressed in newer ve... | |
| E8-PA-ML3.3 | ISM-1483 requires that internet-facing server applications are kept on their latest release to reduce exposure to known vulnerabilities | |
| E8-PO-ML3.9 | ISM-1483 requires internet-facing server applications to be kept at their latest release | |
| handshake Supports (2) expand_less | ||
| E8-PA-ML1.6 | E8-PA-ML1.6 requires applying non-critical security patches for online services within two weeks when vendors rate them non-critical and ... | |
| E8-AC-ML2.1 | ISM-1483 requires the latest release of internet-facing server applications to be used to reduce exploitation risk | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.