Apply Timely Updates to Isolation Mechanisms
Keep server hardware isolation software and OS updated to fix vulnerabilities promptly.
Plain language
Keeping your server's software and its operating system updated is crucial because it protects your systems from new vulnerabilities that hackers might exploit. If you don't apply these updates promptly, someone could potentially steal data, disrupt your services, or even lock you out of your own systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Virtualisation hardeningOfficial control statement
When using a software-based isolation mechanism to share a physical server's hardware, patches, updates or vendor mitigations for vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner.
Why it matters
Delayed hypervisor/container and host OS patching can enable isolation escape or host compromise, exposing multiple tenants’ data and workloads.
Operational notes
Track vendor advisories for the hypervisor/container runtime and host OS; prioritise isolation-escape CVEs and apply patches/mitigations promptly.
Implementation tips
- IT team should regularly schedule a time to review and apply updates: Set a routine check, perhaps fortnightly, where team members go over available updates or patches for server isolation software and the operating system. Use a calendar reminder to ensure this step is never missed.
- System owners should establish relationships with vendors: Regularly communicate with software and hardware vendors to stay informed about new updates or alerts. Join vendor mailing lists or forums so that you receive alerts as soon as updates are available.
- IT team should create a test environment for updates: Before applying updates to the main system, test them in a separate environment. Set up a small server that mirrors your main system and apply new updates there first to ensure they work without causing issues.
- Managers should oversee the update process: Assign someone responsible to check that updates are being applied in a timely manner. This can be done by having them review update logs or subscribing to a report confirming activities.
- IT team should automate updates where possible: Use tools that automatically apply non-disruptive updates to servers during off-peak hours. Ensure there's a backup taken before each update just in case something goes wrong.
Audit / evidence tips
-
Askthe update logs for server isolation software and operating systems: Request the records or reports showing when updates were last applied
GoodLog entries showing updates were applied soon after vendor releases, within a standard window (e.g., two weeks)
-
Aska list of all servers subject to updates: Ensure this list includes all servers using isolation mechanisms
GoodA comprehensive list that matches server inventories and shows recent update activities
-
Askpolicy documents detailing update procedures: Request the document outlining how updates are managed in the organisation
GoodA clear policy with specific timelines and named individuals responsible for updating
-
Askto see vendor communications about updates: Request emails or announcements from vendors received by the IT team
GoodRecent emails from vendors confirming updates were reviewed and, if required, applied promptly
-
Askevidence of testing updates before rollout: Request records of testing updates in a non-production environment
GoodTest reports showing what was tested, when, and the results before deploying updates to live systems
Cross-framework mappings
How ISM-1606 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1606 requires timely remediation of vulnerabilities by applying patches, updates or vendor mitigations to software-based isolation me... | |
| handshake Supports (2) expand_less | ||
| Annex A 8.19 | ISM-1606 requires timely remediation of vulnerabilities affecting software-based isolation mechanisms and the underlying host operating s... | |
| Annex A 8.32 | ISM-1606 requires timely application of patches, updates or vendor mitigations to isolation mechanisms and their underlying host operatin... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-PO-ML1.5 | ISM-1606 requires patches, updates or vendor mitigations to be applied in a timely manner to software-based isolation mechanisms (e.g | |
| E8-PO-ML1.6 | ISM-1606 requires timely remediation of vulnerabilities by applying patches/updates/mitigations to the isolation mechanism and the underl... | |
| E8-PA-ML2.2 | E8-PA-ML2.2 requires patching of non-critical applications within one month of release | |
| E8-PO-ML3.3 | ISM-1606 requires patches/updates/vendor mitigations to be applied in a timely manner to both the software isolation mechanism and the un... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.