Timely Application of Non-Critical Vulnerability Patches
Apply non-critical patches to online services within two weeks to prevent unexploited vulnerabilities.
Plain language
This control is about making sure we update our software with non-critical security patches within two weeks after they're available. Even if a vulnerability isn't currently being exploited, leaving it unpatched can give hackers an opportunity to find and use it, which could lead to data breaches or service disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Delaying non-critical online-service patches beyond two weeks increases exposure, raising the risk of compromise, data loss, or service disruption.
Operational notes
Track non-critical online-service advisories and confirm no working exploits; apply vendor mitigations within 14 days of release.
Implementation tips
- The IT team should monitor software vendor websites or subscribe to their security newsletters. This helps them stay informed when new patches are released, so they can assess and prepare for timely implementation.
- System administrators should schedule regular reviews of available patches. They can create a simple calendar reminder to check for updates every week, ensuring they catch any recent releases that need action.
- Assign a dedicated staff member to manage patches. This person's role is to verify that the patches are correctly applied within two weeks. They should keep a checklist or a log to track when patches are applied.
- The IT team should conduct initial testing of patches in a safe environment. Set up a test system that mirrors the live environment to ensure patches don't disrupt business operations before they're rolled out widely.
- Managers should communicate with staff about the importance of patching. Send brief updates or reminders about the role patches play in protecting data and systems, which can help you gain organisational support for timely updates.
Audit / evidence tips
- AskThe patch management policy document GoodWill clearly state that non-critical patches must be applied within two weeks
- GoodIs a log showing consistent updates occurring within two weeks of patch release
- AskStaff training records on patch management GoodWill have recent training specifically covering patch timelines
- GoodWill show vulnerabilities being resolved within two weeks of patches being available
- AskA demonstration of the testing process for patches GoodWould be a step-by-step process that includes testing, review, and approval steps before full deployment
Cross-framework mappings
How ISM-1690 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1690 requires a specific patching outcome: apply non-critical patches for online services within two weeks when no working exploits e... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PO-ML1.6 | ISM-1690 requires non-critical vulnerability patches for online services to be applied within two weeks where no working exploits exist | |
| link Related (1) expand_less | ||
| E8-PA-ML1.6 | ISM-1690 requires that patches, updates or other vendor mitigations for vulnerabilities in online services are applied within two weeks w... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.