Apply Critical Patches Within 48 Hours
Apply critical security patches to certain systems within 48 hours to prevent exploits.
Plain language
This control is about making sure that important security updates, known as critical patches, are installed on certain computer systems within two days of their release. This is crucial because if you delay these updates, it can leave your systems vulnerable to hackers who can exploit these weaknesses and potentially cause damage or loss by accessing sensitive data.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Failure to apply critical OS patches within 48 hours can allow rapid exploitation, leading to compromise of workstations and internal servers, data loss, and downtime.
Operational notes
Track vendor advisories and exploit intel; prioritise critical OS patches for workstations and non-internet-facing servers/devices and enforce automated deployment to meet the 48-hour window.
Implementation tips
- The IT team should track new critical patches: Set up a system to receive notifications from software vendors about new critical patches. Tools like email alerts or vendor-specific dashboards can be used to ensure that you’re aware of patches as soon as they are released.
- The IT manager should prioritise these patches: Organise and assess which systems need urgent updates based on vendor guidance and potential risks. Use a checklist to identify systems that are the most crucial, such as servers critical to operations, and ensure they are patched first.
- System administrators should apply patches directly: Once patches are identified, the system administrators should implement them on the intended systems. Follow vendor instructions carefully to ensure correct patching, and make sure you're not disrupting business-essential operations during the process.
- Office managers should coordinate with IT: Ensure that teams affected by potential downtime due to patching are informed. Prepare a communication plan so everyone knows what to expect, and consider scheduling updates during off-peak hours to minimise impact.
- The IT support team should verify patch installations: After patches are applied, use system reports to confirm that the update was successful. Check system logs or vendor tools to verify that patches are not only deployed but also active and functioning as expected.
Audit / evidence tips
-
Aska list of all critical patches received in the past month: Request records that show notifications received for critical patches from vendors
Gooda comprehensive log showing received patches with timestamps matching vendor releases
-
Askthe patch prioritisation policy: Request the document or policy which outlines how critical patches are prioritised
Gooda policy document that clearly lists criteria like system criticality and potential risk
-
Askpatch implementation records: Request documentation showing when and on which systems the patches were applied
Gooda report detailing patch application times, affected systems, and responsible personnel
-
Askconfirmation communications sent to stakeholders: Request emails or messages sent to stakeholders about patching schedules
Goodtimely distributed communications that outline the expected implementation schedule
-
Asksystem verification logs: Request logs that verify successful patches applications
Goodlogs showing completed patching with no errors and confirmation of system functionality post-update
Cross-framework mappings
How ISM-1696 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1696 requires a specific technical vulnerability treatment outcome: applying critical OS patches within 48 hours for defined non-inte... | |
| handshake Supports (2) expand_less | ||
| Annex A 5.7 | ISM-1696 requires applying critical OS patches within 48 hours when vendors assess vulnerabilities as critical or when working exploits e... | |
| Annex A 8.9 | ISM-1696 requires applying critical operating system patches within 48 hours for workstations and non-internet-facing servers and network... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| extension Depends on (3) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.