Skip to content
Control Stack logo Control Stack
ISM-1691 ASD Information Security Manual (ISM)

Timely Vulnerability Patching in Software Tools

Apply patches to major software tools like browsers and email clients within two weeks to prevent vulnerabilities.

Preventative ML1 ML2 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceVulnerability managementApplication security

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML1, ML2

Guideline

Guidelines for system management

Section

System patching

Topic

Mitigating Known Vulnerabilities
Official control statement
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within two weeks of release.

Source: ASD Information Security Manual (ISM)

Plain language

This control is about making sure that updates for important software like web browsers and email programs are applied within two weeks of their release. This is crucial because failing to update these tools can leave your business open to cyber attacks, where hackers exploit these vulnerabilities to steal data or disrupt operations.

Why it matters

Unchecked vulnerabilities in browsers, email clients, PDF apps and security tools can be exploited quickly, leading to compromise, data loss, and outages.

Operational notes

Track vendor releases for listed apps and enforce patching within 14 days; use automation for rollout, but validate and expedite critical/high-risk fixes.

Implementation tips

  • The IT team should keep a list of all key software tools in use, such as browsers, email clients, and office productivity software. They should check weekly for new updates or patches released by the software vendors, using vendor websites or automated notification systems.
  • System administrators should set up automatic updates wherever possible in the software settings. If automatic updates are not available, they should plan for manual installation within the outlined two-week period to ensure compliance.
  • Managers should ensure that team members are aware of the importance of timely updates and offer guidelines on how to report issues if automatic updates fail. This includes providing contact information for IT support within the organisation.
  • Procurement officers should evaluate and choose software vendors that have a clear track record of timely updates and provide support for patching vulnerabilities quickly. This can be assessed during the initial acquisition of the software.
  • Office managers should facilitate regular meetings between IT staff and department heads to discuss the current status of software updates. This ensures all departments are on track and any hurdles can be addressed promptly.

Audit / evidence tips

  • Ask: the software inventory list: Request a list of all major software tools in use, including browsers and email clients

    Good: is a well-maintained, up-to-date list that is regularly reviewed and modified as needed

  • Ask: update logs or records: Request documentation showing the dates when patches were applied to the listed software

    Good: is consistently applying patches within two weeks, with explanations for any delays

  • Ask: automatic update settings documentation: Request screenshots or configuration logs showing the settings for automatic updates. Look to confirm that automatic updates are enabled where possible

    Good: demonstrates proactive configuration of settings for consistent patch deployment

  • Ask: meeting notes or agendas: Request records of recent IT and department meetings that discuss software updates

    Good: shows regular discussion and swift action on update issues

  • Ask: vendor contracts or agreements: Request procurement documents that show the criteria for selecting software vendors, especially concerning update and patch support

    Good: would include a detailed vendor assessment regarding patch reliability and support

Cross-framework mappings

How ISM-1691 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (1)
Annex A 8.8 ISM-1691 sets a specific, time-bound requirement to apply vendor patches/mitigations for vulnerabilities in common productivity and secur...

E8

Control Notes Details
Partially overlaps (2)
E8-PA-ML3.1 ISM-1691 mandates applying patches for key end-user software (e.g
E8-PA-ML3.2 ISM-1691 requires patches, updates or vendor mitigations for vulnerabilities in office productivity suites, web browsers and extensions, ...
Supports (1)
E8-PA-ML1.4 E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates in key software so remediation can be actioned

Mapping detail

Mapping

Direction

Controls