Quick Apply Critical Patches for Vulnerabilities
Apply crucial software patches within 48 hours to prevent security breaches from known vulnerabilities.
Plain language
Applying critical software updates within 48 hours ensures your systems are protected from security gaps that malicious hackers might exploit. If these updates aren't applied quickly, your organisation could be exposed to cyber attacks that can steal sensitive information or disrupt operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Not applying critical vendor patches within 48 hours for browsers, email, PDF and security tools increases likelihood of exploitation, data compromise and operational disruption.
Operational notes
Track vendor advisories and exploit intel for browsers, office, email, PDF and security products; prioritise automated rollout and verification to meet the 48‑hour critical patch SLA.
Implementation tips
- IT team should monitor for software patch releases: Keep an eye on updates from software vendors related to office software, web browsers, and security tools. Set up alerts or regularly check the vendors' websites for any new updates that are flagged as critical.
- IT manager should establish a patch application process: Decide who will apply the patches, which systems need them, and how to verify the updates are successful. Create a checklist to make sure no step is missed during this patching process.
- System administrator should perform the patching task: Once critical patches are identified, ensure they are loaded onto all relevant systems within 48 hours. Follow the instructions provided by the software vendor to apply the updates correctly.
- Office manager should schedule regular check-ins with IT: Organise weekly meetings to review what patches have been released and confirm that critical updates were applied on time. Document these discussions to keep track of compliance.
- HR or admin head should educate staff about the importance: Inform employees why these updates are crucial and encourage them to alert IT if they notice any update prompts on their work machines. Regular staff meetings can include a brief reminder about this process.
Audit / evidence tips
-
Askthe update log from IT systems: Request the documented record of all patches applied in the past few months
GoodAll critical patches applied within 48 hours of release
-
GoodAlerts are in place and show actionable updates with time frames
-
Askthe checklist used during patch application: Request the documented process checklist for implementing patches
GoodA detailed checklist that aligns with applied patches
-
Askminutes or notes from the meetings between office and IT staff
GoodRegular meeting notes reflecting awareness and action on patches
-
GoodEmails sent promptly after critical update releases with clear action instructions
Cross-framework mappings
How ISM-1692 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1692 requires a specific, time-bound response: applying critical patches for defined application categories within 48 hours when vend... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PA-ML3.2 | E8-PA-ML3.2 requires organisations to apply patches for non-critical vulnerabilities in common user applications and security products wi... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML1.4 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates for vulnerabilities in key user applications and security pro... | |
| link Related (1) expand_less | ||
| E8-PA-ML3.1 | E8-PA-ML3.1 requires patches, updates or vendor mitigations for critical or exploited vulnerabilities in office suites, browsers/extensio... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.