Maintain Detailed Software Version and Patch Records
Keep a record of software versions and update histories for system security.
Plain language
To keep your computer systems secure, it's crucial to know what software you're using and to track its updates. If you don't keep an eye on software versions and make sure they're up-to-date, you might miss patches that fix security problems, leaving your system vulnerable to cyber attacks.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2021
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Software registers contain versions and patch histories of applications, drivers, operating systems and firmware.
Why it matters
Failure to track software versions and patch histories can lead to missed security updates, exposing systems to exploitable vulnerabilities and potential breaches.
Operational notes
Regularly update and verify your software inventory to quickly identify outdated versions, ensuring timely patch deployments to mitigate security risks.
Implementation tips
- The IT manager should create a software inventory: Make a complete list of all the software, including applications, drivers, operating systems, and firmware, that your business uses. Use a simple spreadsheet to record the name, version, and installation date of each piece of software.
- System administrators should regularly check for updates: Set a fixed schedule, like once a week, to review if there are any available updates or patches for the software listed in the inventory. You can do this by visiting the official websites of the software vendors or setting up automatic notifications.
- The IT team should document every update: When you apply updates or patches, write down what was updated, the date it happened, and any changes made. Add this information to your software inventory spreadsheet so you have a clear record of security improvements.
- Assign a dedicated person for software management: Choose someone responsible for maintaining the software inventory and tracking updates. This could be an IT technician or a manager who understands the systems well enough to update and check the list regularly.
- Consider using a software management tool: If you're struggling to keep track by hand, look into simple tools or software that can help automate the update tracking process. These tools can notify you when updates are available and help apply them efficiently.
Audit / evidence tips
-
Askthe software inventory list: Request to see the document or record that logs all software versions in use. Look to ensure every software is listed with its version and installation date
Goodis a comprehensive list that covers all critical systems with no significant omissions
-
Aska recent update log: Request to view records of the most recent updates to software
Goodincludes recent entries that show regular updating activities
-
Askto see software management assignments: Request documentation that identifies who is responsible for managing software updates
Goodis a clear organisational chart or assignment list showing dedicated personnel for this task
-
Askto inspect a tool or method in use for managing updates: Request a demonstration of any tools or methods used for tracking software versions and updates. Look to verify the functionality of the tool or method in capturing and alerting for updates
Goodis a live demonstration showing current data and notifications
-
Askabout the review schedule for updates: Request to see the schedule or calendar used for reviewing software updates
Goodis a documented schedule showing consistent past activities and future plans
Cross-framework mappings
How ISM-1643 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | ISM-1643 requires maintaining registers of software versions and patch histories across applications, drivers, operating systems and firm... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (7) expand_less | ||
| extension Depends on (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.