Timely Application of Patches to Mitigate Vulnerabilities
Apply updates to non-generic software within a month to keep systems secure.
Plain language
Keeping your software up-to-date is like locking your doors at night. This control ensures that less common software is updated within a month of a security fix being released. If you don't apply these updates, attackers might exploit weaknesses in your software, which could lead to data breaches or disruptions to your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within one month of release.
Why it matters
Delaying patches for non-core applications beyond one month leaves known vulnerabilities exploitable, increasing breach and outage risk.
Operational notes
Track vendor releases for non-core applications and apply patches, updates or mitigations within one month, with exceptions risk-assessed.
Implementation tips
- The IT team should create a list of all installed applications on the organisation's systems that aren’t part of common suites like Microsoft Office or web browsers. They can do this by running an inventory check using automated tools or manual inspections.
- System administrators should sign up for security notifications from software vendors. These alerts will inform them when updates or patches are released, ensuring they can act quickly within the one-month timeframe.
- Managers should meet with the IT team monthly to review the status of software updates. They should ensure that all necessary patches have been applied and document any exceptions with a plan to resolve them.
- The finance team should ensure there is budget allocated for software maintenance and updates. They can do this as part of the annual budgeting process, factoring in potential costs associated with software updates.
- The organisational leadership should endorse a policy mandating timely application of updates. This can be done by drafting a formal policy document that outlines the procedure and consequences for not adhering to the patching timeline.
Audit / evidence tips
-
Askthe software inventory list: Request the IT-maintained list of non-generic software that runs on the organisation’s systems
Gooda current list that matches the latest system inventory check
-
Askthe patch management log: Review the document tracking when patches were applied to each piece of software
Gooda log showing updates completed within 30 days of release
-
Asksecurity alert subscriptions: Verify that the IT team receives notifications from software vendors
Goodactive subscriptions confirmed by vendor alerts or recent patch releases
-
Askto see the monthly IT review notes: Review the recorded outcomes of monthly update reviews between managers and the IT team
Goodtopics discussed, issues resolved, and captured follow-up actions
-
Askthe organisation's software update policy: Check that there is a formal document outlining the update procedures and responsibilities
Gooda signed and dated policy with annexed roles and procedures
Cross-framework mappings
How ISM-1693 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1693 requires a specific remediation action: applying patches/updates/vendor mitigations for certain applications within one month of... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| handshake Supports (2) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.