ISM-1693 ASD Information Security Manual (ISM)

Timely Application of Patches to Mitigate Vulnerabilities

Apply updates to non-generic software within a month to keep systems secure.

Preventative ML2 ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Patch management Application security Vulnerability management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

May 2025

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML2, ML3

Guideline

Guidelines for system management

Section

System patching

Topic

Mitigating Known Vulnerabilities

Official control statement

Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within one month of release.

Source: ASD Information Security Manual (ISM)

Plain language

Keeping your software up-to-date is like locking your doors at night. This control ensures that less common software is updated within a month of a security fix being released. If you don't apply these updates, attackers might exploit weaknesses in your software, which could lead to data breaches or disruptions to your business operations.

Why it matters

Delaying patches for non-core applications beyond one month leaves known vulnerabilities exploitable, increasing breach and outage risk.

Operational notes

Track vendor releases for non-core applications and apply patches, updates or mitigations within one month, with exceptions risk-assessed.

Implementation tips

The IT team should create a list of all installed applications on the organisation's systems that aren’t part of common suites like Microsoft Office or web browsers. They can do this by running an inventory check using automated tools or manual inspections.
System administrators should sign up for security notifications from software vendors. These alerts will inform them when updates or patches are released, ensuring they can act quickly within the one-month timeframe.
Managers should meet with the IT team monthly to review the status of software updates. They should ensure that all necessary patches have been applied and document any exceptions with a plan to resolve them.
The finance team should ensure there is budget allocated for software maintenance and updates. They can do this as part of the annual budgeting process, factoring in potential costs associated with software updates.
The organisational leadership should endorse a policy mandating timely application of updates. This can be done by drafting a formal policy document that outlines the procedure and consequences for not adhering to the patching timeline.

Audit / evidence tips

Ask: the software inventory list: Request the IT-maintained list of non-generic software that runs on the organisation’s systems

Good: a current list that matches the latest system inventory check
Ask: the patch management log: Review the document tracking when patches were applied to each piece of software

Good: a log showing updates completed within 30 days of release
Ask: security alert subscriptions: Verify that the IT team receives notifications from software vendors

Good: active subscriptions confirmed by vendor alerts or recent patch releases
Ask: to see the monthly IT review notes: Review the recorded outcomes of monthly update reviews between managers and the IT team

Good: topics discussed, issues resolved, and captured follow-up actions
Ask: the organisation's software update policy: Check that there is a formal document outlining the update procedures and responsibilities

Good: a signed and dated policy with annexed roles and procedures

Cross-framework mappings

How ISM-1693 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.8	ISM-1693 requires a specific remediation action: applying patches/updates/vendor mitigations for certain applications within one month of...

E8

Control	Notes	Details
Partially overlaps (3)

E8-PA-ML1.4	E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates, but only for office suites, browsers/extensions, email clien...
E8-PA-ML2.1	E8-PA-ML2.1 requires fortnightly vulnerability scanning to identify missing patches for non-core applications
E8-PA-ML3.2	E8-PA-ML3.2 requires patching within two weeks for non-critical vulnerabilities (with no working exploits) in a specific set of user-faci...
Supports (2)

E8-PA-ML1.2	ISM-1693 requires patches and vendor mitigations for non-core applications to be applied within one month of release
E8-PA-ML3.1	E8-PA-ML3.1 requires patches for critical or exploited vulnerabilities in a defined set of high-risk applications to be applied within 48...
Related (1)

E8-PA-ML2.2	E8-PA-ML2.2 requires patches, updates or other vendor mitigations for vulnerabilities in non-core applications to be applied within one m...