Timely Vulnerability Patching in Software Tools
Apply patches to major software tools like browsers and email clients within two weeks to prevent vulnerabilities.
Plain language
This control is about making sure that updates for important software like web browsers and email programs are applied within two weeks of their release. This is crucial because failing to update these tools can leave your business open to cyber attacks, where hackers exploit these vulnerabilities to steal data or disrupt operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within two weeks of release.
Why it matters
Unchecked vulnerabilities in browsers, email clients, PDF apps and security tools can be exploited quickly, leading to compromise, data loss, and outages.
Operational notes
Track vendor releases for listed apps and enforce patching within 14 days; use automation for rollout, but validate and expedite critical/high-risk fixes.
Implementation tips
- The IT team should keep a list of all key software tools in use, such as browsers, email clients, and office productivity software. They should check weekly for new updates or patches released by the software vendors, using vendor websites or automated notification systems.
- System administrators should set up automatic updates wherever possible in the software settings. If automatic updates are not available, they should plan for manual installation within the outlined two-week period to ensure compliance.
- Managers should ensure that team members are aware of the importance of timely updates and offer guidelines on how to report issues if automatic updates fail. This includes providing contact information for IT support within the organisation.
- Procurement officers should evaluate and choose software vendors that have a clear track record of timely updates and provide support for patching vulnerabilities quickly. This can be assessed during the initial acquisition of the software.
- Office managers should facilitate regular meetings between IT staff and department heads to discuss the current status of software updates. This ensures all departments are on track and any hurdles can be addressed promptly.
Audit / evidence tips
-
Askthe software inventory list: Request a list of all major software tools in use, including browsers and email clients
Goodis a well-maintained, up-to-date list that is regularly reviewed and modified as needed
-
Askupdate logs or records: Request documentation showing the dates when patches were applied to the listed software
Goodis consistently applying patches within two weeks, with explanations for any delays
-
Askautomatic update settings documentation: Request screenshots or configuration logs showing the settings for automatic updates. Look to confirm that automatic updates are enabled where possible
Gooddemonstrates proactive configuration of settings for consistent patch deployment
-
Askmeeting notes or agendas: Request records of recent IT and department meetings that discuss software updates
Goodshows regular discussion and swift action on update issues
-
Askvendor contracts or agreements: Request procurement documents that show the criteria for selecting software vendors, especially concerning update and patch support
Goodwould include a detailed vendor assessment regarding patch reliability and support
Cross-framework mappings
How ISM-1691 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1691 sets a specific, time-bound requirement to apply vendor patches/mitigations for vulnerabilities in common productivity and secur... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PA-ML3.1 | ISM-1691 mandates applying patches for key end-user software (e.g | |
| E8-PA-ML3.2 | ISM-1691 requires patches, updates or vendor mitigations for vulnerabilities in office productivity suites, web browsers and extensions, ... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML1.4 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates in key software so remediation can be actioned | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.