ISM-1643 policy ASD Information Security Manual (ISM)

Maintain Detailed Software Version and Patch Records

Keep a record of software versions and update histories for system security.

Proactive NC OS P ASD Information Security ManualGuidelines for system management asset management vulnerability management asset inventory

record_voice_over

Plain language

To keep your computer systems secure, it's crucial to know what software you're using and to track its updates. If you don't keep an eye on software versions and make sure they're up-to-date, you might miss patches that fix security problems, leaving your system vulnerable to cyber attacks.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Proactive

Classifications

NC, OS, P, S, TS

ISM last updated

May 2021

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system management

Section

System patching

Topic

Software Register

Official control statement

Software registers contain versions and patch histories of applications, drivers, operating systems and firmware.

policy ASD Information Security Manual (ISM) ISM-1643

priority_high

Why it matters

Failure to track software versions and patch histories can lead to missed security updates, exposing systems to exploitable vulnerabilities and potential breaches.

settings

Operational notes

Regularly update and verify your software inventory to quickly identify outdated versions, ensuring timely patch deployments to mitigate security risks.

02 - Implement

build

Implementation tips

The IT manager should create a software inventory: Make a complete list of all the software, including applications, drivers, operating systems, and firmware, that your business uses. Use a simple spreadsheet to record the name, version, and installation date of each piece of software.
System administrators should regularly check for updates: Set a fixed schedule, like once a week, to review if there are any available updates or patches for the software listed in the inventory. You can do this by visiting the official websites of the software vendors or setting up automatic notifications.
The IT team should document every update: When you apply updates or patches, write down what was updated, the date it happened, and any changes made. Add this information to your software inventory spreadsheet so you have a clear record of security improvements.
Assign a dedicated person for software management: Choose someone responsible for maintaining the software inventory and tracking updates. This could be an IT technician or a manager who understands the systems well enough to update and check the list regularly.
Consider using a software management tool: If you're struggling to keep track by hand, look into simple tools or software that can help automate the update tracking process. These tools can notify you when updates are available and help apply them efficiently.

03 - Audit

fact_check

Audit / evidence tips

AskThe software inventory list: Request to see the document or record that logs all software versions in use. Look to ensure every software is listed with its version and installation date GoodIs a comprehensive list that covers all critical systems with no significant omissions
AskA recent update log: Request to view records of the most recent updates to software GoodIncludes recent entries that show regular updating activities
AskTo see software management assignments: Request documentation that identifies who is responsible for managing software updates GoodIs a clear organisational chart or assignment list showing dedicated personnel for this task
AskTo inspect a tool or method in use for managing updates: Request a demonstration of any tools or methods used for tracking software versions and updates. Look to verify the functionality of the tool or method in capturing and alerting for updates GoodIs a live demonstration showing current data and notifications
AskAbout the review schedule for updates: Request to see the schedule or calendar used for reviewing software updates GoodIs a documented schedule showing consistent past activities and future plans

04 - Mappings

link

Cross-framework mappings

How ISM-1643 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
handshake Supports (1) expand_less
Annex A 8.8	ISM-1643 requires maintaining registers of software versions and patch histories across applications, drivers, operating systems and firm...

E8

Control	Notes	Details
handshake Supports (7) expand_less

E8-AC-ML3.3	E8-AC-ML3.3 requires implementation of Microsoft’s vulnerable driver blocklist to prevent use of known-bad drivers

E8-PA-ML1.9	E8-PA-ML1.9 requires organisations to remove software that is no longer vendor-supported
E8-PA-ML2.2	E8-PA-ML2.2 requires patches/mitigations for non-critical applications to be applied within one month

E8-PO-ML1.1	E8-PO-ML1.1 requires fortnightly automated asset discovery to ensure assets are found for later vulnerability scanning
E8-PO-ML1.5	ISM-1643 requires maintaining detailed records of operating system versions and patch histories in software registers
E8-PO-ML1.8	E8-PO-ML1.8 requires the replacement of unsupported operating systems
E8-PO-ML3.3	ISM-1643 requires software registers to record operating system versions and patch histories
extension Depends on (1) expand_less

E8-PA-ML3.2	E8-PA-ML3.2 needs organisations to patch specified applications within two weeks for non-critical vulnerabilities

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.