Apply Timely Updates to Isolation Mechanisms
Keep server hardware isolation software and OS updated to fix vulnerabilities promptly.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
When using a software-based isolation mechanism to share a physical server's hardware, patches, updates or vendor mitigations for vulnerabilities are applied to the isolation mechanism and underlying operating system in a timely manner.
Source: ASD Information Security Manual (ISM)
Plain language
Keeping your server's software and its operating system updated is crucial because it protects your systems from new vulnerabilities that hackers might exploit. If you don't apply these updates promptly, someone could potentially steal data, disrupt your services, or even lock you out of your own systems.
Why it matters
Delayed hypervisor/container and host OS patching can enable isolation escape or host compromise, exposing multiple tenants’ data and workloads.
Operational notes
Track vendor advisories for the hypervisor/container runtime and host OS; prioritise isolation-escape CVEs and apply patches/mitigations promptly.
Implementation tips
- IT team should regularly schedule a time to review and apply updates: Set a routine check, perhaps fortnightly, where team members go over available updates or patches for server isolation software and the operating system. Use a calendar reminder to ensure this step is never missed.
- System owners should establish relationships with vendors: Regularly communicate with software and hardware vendors to stay informed about new updates or alerts. Join vendor mailing lists or forums so that you receive alerts as soon as updates are available.
- IT team should create a test environment for updates: Before applying updates to the main system, test them in a separate environment. Set up a small server that mirrors your main system and apply new updates there first to ensure they work without causing issues.
- Managers should oversee the update process: Assign someone responsible to check that updates are being applied in a timely manner. This can be done by having them review update logs or subscribing to a report confirming activities.
- IT team should automate updates where possible: Use tools that automatically apply non-disruptive updates to servers during off-peak hours. Ensure there's a backup taken before each update just in case something goes wrong.
Audit / evidence tips
-
Ask: the update logs for server isolation software and operating systems: Request the records or reports showing when updates were last applied
Good: Log entries showing updates were applied soon after vendor releases, within a standard window (e.g., two weeks)
-
Ask: a list of all servers subject to updates: Ensure this list includes all servers using isolation mechanisms
Good: A comprehensive list that matches server inventories and shows recent update activities
-
Ask: policy documents detailing update procedures: Request the document outlining how updates are managed in the organisation
Good: A clear policy with specific timelines and named individuals responsible for updating
-
Ask: to see vendor communications about updates: Request emails or announcements from vendors received by the IT team
Good: Recent emails from vendors confirming updates were reviewed and, if required, applied promptly
-
Ask: evidence of testing updates before rollout: Request records of testing updates in a non-production environment
Good: Test reports showing what was tested, when, and the results before deploying updates to live systems
Cross-framework mappings
How ISM-1606 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.8 | ISM-1606 requires timely remediation of vulnerabilities by applying patches, updates or vendor mitigations to software-based isolation me... | |
| Supports (2) | ||
| Annex A 8.19 | ISM-1606 requires timely remediation of vulnerabilities affecting software-based isolation mechanisms and the underlying host operating s... | |
| Annex A 8.32 | ISM-1606 requires timely application of patches, updates or vendor mitigations to isolation mechanisms and their underlying host operatin... | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (3) | ||
| E8-PO-ML1.5 | ISM-1606 requires patches, updates or vendor mitigations to be applied in a timely manner to software-based isolation mechanisms (e.g | |
| E8-PO-ML1.6 | ISM-1606 requires timely remediation of vulnerabilities by applying patches/updates/mitigations to the isolation mechanism and the underl... | |
| E8-PO-ML3.3 | ISM-1606 requires patches/updates/vendor mitigations to be applied in a timely manner to both the software isolation mechanism and the un... | |