Timely Application of Non-Critical Security Patches
Apply patches for non-critical vulnerabilities on internet-facing devices within two weeks if no known exploits are available.
Plain language
This control means that if there's a known weakness in the software of your devices that connect to the internet, you need to fix it within two weeks if it isn't a major issue and no one is trying to exploit it yet. This matters because even smaller weaknesses can become big problems if left unaddressed, potentially allowing cybercriminals to access your systems and compromise your data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Delaying non-critical patching on internet-facing systems increases exposure to compromise, enabling unauthorised access and data breaches.
Operational notes
Track vendor releases; when rated non-critical and no working exploit exists, patch internet-facing servers/devices within 14 days.
Implementation tips
- The IT team should regularly check for new updates or patches for internet-facing devices. Use subscription services from software vendors to get notified whenever a new patch or update is released.
- System owners should prioritise applying these patches within two weeks of their release. Establish a clear process for evaluating the criticality of updates and make a schedule to apply non-critical ones promptly.
- Managers should ensure resources are available for the IT team to perform these updates. This means allowing time and providing the necessary tools like access to systems and software to make updates possible.
- IT staff should test patches in a controlled environment before deploying them broadly. Set up a small test system that mimics the main system to apply patches first and ensure they don't disrupt operations.
- Communication should come from the IT team to all users impacted by potential updates. Inform staff about scheduled updates and any potential downtime so they can plan their work accordingly.
Audit / evidence tips
-
Askthe patch management policy document: Check this document to see if it includes procedures for handling non-critical patches within two weeks. Good contains timeframes, roles responsible, and steps to handle patches
-
Aska list of known non-critical vulnerabilities and corresponding action logs: Inspect the action logs to verify that non-critical patches were indeed applied. Good has vulnerability details, patch release dates, and times of application
-
Askrecords of test environments used for patches: Verify that the team uses these environments to test patches before widespread application. Good shows a separate environment setup that allows pre-deployment testing
Cross-framework mappings
How ISM-1694 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1694 requires a specific patching outcome: non-critical OS vulnerabilities on internet-facing servers and network devices are remedia... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PO-ML1.5 | ISM-1694 requires applying vendor mitigations for non-critical vulnerabilities in operating systems on internet-facing servers and networ... | |
| E8-PA-ML1.6 | ISM-1694 requires non-critical operating system security patches for internet-facing servers and internet-facing network devices to be ap... | |
| E8-PO-ML3.4 | E8-PO-ML3.4 requires applying non-critical OS patches within one month for non-internet-facing workstations, servers and network devices ... | |
| handshake Supports (1) expand_less | ||
| E8-PO-ML1.3 | ISM-1694 requires non-critical operating system patches on internet-facing servers and network devices to be applied within two weeks und... | |
| link Related (1) expand_less | ||
| E8-PO-ML1.6 | E8-PO-ML1.6 requires applying non-critical patches (where no working exploits exist) to operating systems on internet-facing servers and ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.