Apply Non-Critical Patches Within One Month
Apply updates for driver vulnerabilities within a month if they are non-critical and have no known exploits.
Plain language
Applying patches within a month for non-critical issues in your computer drivers is like fixing a small leak in a roof before it rains heavily. While these updates may not seem urgent, ignoring them can lead to bigger problems like system slowdowns or even data loss if vulnerabilities are exploited later.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
If non-critical driver patches (no known working exploits) aren’t applied within 1 month, exposure to privilege escalation or device compromise increases.
Operational notes
Track vendor driver advisories; when rated non-critical and no working exploit exists, test then deploy within 1 month and record evidence of completion.
Implementation tips
- The IT team should regularly check for driver updates. This can be done by scheduling a monthly check using reliable software update tools that notify them when new patches are available.
- System owners should create a priority list of drivers based on their importance to business operations. This helps in deciding which updates need to be attended to first, ensuring critical drivers are never missed.
- Office managers should ensure staff are aware of the patching schedule. Communicating the plan in advance prevents downtime surprises and allows staff time to save work and power down systems as needed.
- IT support should test updates in a controlled environment before full deployment. Create a small testing group to apply updates first, ensuring no adverse effects before rolling them out to the entire organisation.
- Assign a team member to document all updates applied and any issues encountered. This log should include update dates, driver names, and systems affected for accountability and easy reference in case of future issues.
Audit / evidence tips
-
Askthe driver update schedule: Request the documented plan that shows how and when driver updates are checked
Goodincludes a structured and clear timeline that includes update checks every month
-
Goodincludes a log of test results with steps taken to address any problems before full implementation
-
Askstaff communication records: Request emails or notices sent to staff about scheduled updates
Gooddemonstrates proactive communication that gave staff adequate warning before updates occurred
-
Askto see the priority list for driver updates
Goodincludes an assessment of drivers based on their role in business operations and risk level
-
Askthe update log documentation: Request the record showing all updates applied and any encountered issues
Goodprovides comprehensive logs that track each update and any action taken
Cross-framework mappings
How ISM-1697 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1697 requires applying vendor-provided mitigations for non-critical driver vulnerabilities within one month where no working exploits... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | ISM-1697 requires organisations to apply non-critical driver patches within one month when no working exploits exist | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (5) expand_less | ||
| handshake Supports (6) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.