Timely Application of System Security Patches
Ensure non-internet-facing systems are updated within a month to protect against known vulnerabilities.
Plain language
This control means you need to update software on computers and devices that aren't directly connected to the internet within a month of a fix being available. This is important because if you don't, you leave these systems open to attacks from hackers who take advantage of known weaknesses, which can lead to data theft or disruption of business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.
Why it matters
Delaying patches on non-internet-facing systems leaves known OS vulnerabilities exploitable, increasing the likelihood of compromise and service disruption.
Operational notes
Track vendor patch releases and apply OS patches to workstations, non-internet-facing servers and network devices within 1 month, after compatibility testing.
Implementation tips
- System administrators should keep a list of all non-internet-facing systems that need regular updates. Use a simple spreadsheet that tracks each system's software updates and when they were last installed.
- IT teams should check for available updates or patches from vendors at least once a week. Go to the vendor's website or use an automatic update checking tool to identify new security patches.
- Managers should schedule monthly update sessions with the IT team to ensure all systems are patched. Use a calendar reminder to confirm these sessions happen and keep notes on what was updated.
- Procurement should maintain a list of all current vendors providing software and hardware to the organisation. This list should include contact information to quickly get update notices or patches when they are released.
- IT teams should run a test environment where updates can be installed and verified before applying them to all systems. Create a simplified version of your network where updates can be tested to ensure they do not disrupt operations.
Audit / evidence tips
-
Askthe patch management schedule documentation: Ensure it covers all relevant systems
Goodis a clearly defined schedule that aligns with the monthly patch application requirement
-
Askevidence of vendor communication regarding patches
-
Goodlist is comprehensive and includes every relevant system with corresponding patch status
-
Asktesting protocols for patch implementation
Goodprotocol shows step-by-step testing processes and results to ensure patches are working without issues
Cross-framework mappings
How ISM-1695 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1695 requires organisations to apply OS security patches for non-internet-facing workstations, servers and network devices within one... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PO-ML3.3 | ISM-1695 mandates applying OS security patches for non-internet-facing workstations, servers and network devices within one month of release | |
| E8-PO-ML3.4 | ISM-1695 requires patches, updates or other vendor mitigations for OS vulnerabilities on workstations, non-internet-facing servers and no... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.