Skip to content
arrow_back
ISM-1696
search
ISM-1696 policy ASD Information Security Manual (ISM)

Apply Critical Patches Within 48 Hours

Apply critical security patches to certain systems within 48 hours to prevent exploits.

Preventative ML3 NC OS P ASD Information Security ManualGuidelines for system managementvulnerability managementvulnerability
record_voice_over

Plain language

This control is about making sure that important security updates, known as critical patches, are installed on certain computer systems within two days of their release. This is crucial because if you delay these updates, it can leave your systems vulnerable to hackers who can exploit these weaknesses and potentially cause damage or loss by accessing sensitive data.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Guideline

Guidelines for system management

Section

System patching

Topic

Mitigating Known Vulnerabilities

Official control statement

Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
policy ASD Information Security Manual (ISM) ISM-1696
priority_high

Why it matters

Failure to apply critical OS patches within 48 hours can allow rapid exploitation, leading to compromise of workstations and internal servers, data loss, and downtime.

settings

Operational notes

Track vendor advisories and exploit intel; prioritise critical OS patches for workstations and non-internet-facing servers/devices and enforce automated deployment to meet the 48-hour window.

build

Implementation tips

  • The IT team should track new critical patches: Set up a system to receive notifications from software vendors about new critical patches. Tools like email alerts or vendor-specific dashboards can be used to ensure that you’re aware of patches as soon as they are released.
  • The IT manager should prioritise these patches: Organise and assess which systems need urgent updates based on vendor guidance and potential risks. Use a checklist to identify systems that are the most crucial, such as servers critical to operations, and ensure they are patched first.
  • System administrators should apply patches directly: Once patches are identified, the system administrators should implement them on the intended systems. Follow vendor instructions carefully to ensure correct patching, and make sure you're not disrupting business-essential operations during the process.
  • Office managers should coordinate with IT: Ensure that teams affected by potential downtime due to patching are informed. Prepare a communication plan so everyone knows what to expect, and consider scheduling updates during off-peak hours to minimise impact.
  • The IT support team should verify patch installations: After patches are applied, use system reports to confirm that the update was successful. Check system logs or vendor tools to verify that patches are not only deployed but also active and functioning as expected.
fact_check

Audit / evidence tips

  • AskA list of all critical patches received in the past month: Request records that show notifications received for critical patches from vendors GoodA comprehensive log showing received patches with timestamps matching vendor releases
  • AskThe patch prioritisation policy: Request the document or policy which outlines how critical patches are prioritised GoodA policy document that clearly lists criteria like system criticality and potential risk
  • AskPatch implementation records: Request documentation showing when and on which systems the patches were applied GoodA report detailing patch application times, affected systems, and responsible personnel
  • AskConfirmation communications sent to stakeholders: Request emails or messages sent to stakeholders about patching schedules GoodTimely distributed communications that outline the expected implementation schedule
  • AskSystem verification logs: Request logs that verify successful patches applications GoodLogs showing completed patching with no errors and confirmation of system functionality post-update
link

Cross-framework mappings

How ISM-1696 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.8 ISM-1696 requires a specific technical vulnerability treatment outcome: applying critical OS patches within 48 hours for defined non-inte...
handshake Supports (2) expand_less
Annex A 5.7 ISM-1696 requires applying critical OS patches within 48 hours when vendors assess vulnerabilities as critical or when working exploits e...
Annex A 8.9 ISM-1696 requires applying critical operating system patches within 48 hours for workstations and non-internet-facing servers and network...

E8

Control Notes Details
sync_alt Partially overlaps (2) expand_less
extension Depends on (3) expand_less
link Related (1) expand_less

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls