ISM-1693 policy ASD Information Security Manual (ISM)

Timely Application of Patches to Mitigate Vulnerabilities

Apply updates to non-generic software within a month to keep systems secure.

Preventative ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system management vulnerability management maintenance

record_voice_over

Plain language

Keeping your software up-to-date is like locking your doors at night. This control ensures that less common software is updated within a month of a security fix being released. If you don't apply these updates, attackers might exploit weaknesses in your software, which could lead to data breaches or disruptions to your business operations.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

May 2025

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML2, ML3

Guideline

Guidelines for system management

Section

System patching

Topic

Mitigating Known Vulnerabilities

Official control statement

Patches, updates or other vendor mitigations for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within one month of release.

policy ASD Information Security Manual (ISM) ISM-1693

priority_high

Why it matters

Delaying patches for non-core applications beyond one month leaves known vulnerabilities exploitable, increasing breach and outage risk.

settings

Operational notes

Track vendor releases for non-core applications and apply patches, updates or mitigations within one month, with exceptions risk-assessed.

02 - Implement

build

Implementation tips

The IT team should create a list of all installed applications on the organisation's systems that aren’t part of common suites like Microsoft Office or web browsers. They can do this by running an inventory check using automated tools or manual inspections.
System administrators should sign up for security notifications from software vendors. These alerts will inform them when updates or patches are released, ensuring they can act quickly within the one-month timeframe.
Managers should meet with the IT team monthly to review the status of software updates. They should ensure that all necessary patches have been applied and document any exceptions with a plan to resolve them.
The finance team should ensure there is budget allocated for software maintenance and updates. They can do this as part of the annual budgeting process, factoring in potential costs associated with software updates.
The organisational leadership should endorse a policy mandating timely application of updates. This can be done by drafting a formal policy document that outlines the procedure and consequences for not adhering to the patching timeline.

03 - Audit

fact_check

Audit / evidence tips

AskThe software inventory list: Request the IT-maintained list of non-generic software that runs on the organisation’s systems GoodA current list that matches the latest system inventory check
AskThe patch management log: Review the document tracking when patches were applied to each piece of software GoodA log showing updates completed within 30 days of release
AskSecurity alert subscriptions: Verify that the IT team receives notifications from software vendors GoodActive subscriptions confirmed by vendor alerts or recent patch releases
AskTo see the monthly IT review notes: Review the recorded outcomes of monthly update reviews between managers and the IT team GoodTopics discussed, issues resolved, and captured follow-up actions
AskThe organisation's software update policy: Check that there is a formal document outlining the update procedures and responsibilities GoodA signed and dated policy with annexed roles and procedures

04 - Mappings

link

Cross-framework mappings

How ISM-1693 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.8	ISM-1693 requires a specific remediation action: applying patches/updates/vendor mitigations for certain applications within one month of...

E8

Control	Notes	Details
sync_alt Partially overlaps (3) expand_less

E8-PA-ML1.4	E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates, but only for office suites, browsers/extensions, email clien...
E8-PA-ML2.1	E8-PA-ML2.1 requires fortnightly vulnerability scanning to identify missing patches for non-core applications
E8-PA-ML3.2	E8-PA-ML3.2 requires patching within two weeks for non-critical vulnerabilities (with no working exploits) in a specific set of user-faci...
handshake Supports (2) expand_less

E8-PA-ML1.2	ISM-1693 requires patches and vendor mitigations for non-core applications to be applied within one month of release
E8-PA-ML3.1	E8-PA-ML3.1 requires patches for critical or exploited vulnerabilities in a defined set of high-risk applications to be applied within 48...
link Related (1) expand_less

E8-PA-ML2.2	E8-PA-ML2.2 requires patches, updates or vendor mitigations for vulnerabilities in non-critical applications (excluding productivity suit...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.