ISM-1697 policy ASD Information Security Manual (ISM)

Apply Non-Critical Patches Within One Month

Apply updates for driver vulnerabilities within a month if they are non-critical and have no known exploits.

Preventative ML3 NC OS P ASD Information Security ManualGuidelines for system management vulnerability management

record_voice_over

Plain language

Applying patches within a month for non-critical issues in your computer drivers is like fixing a small leak in a roof before it rains heavily. While these updates may not seem urgent, ignoring them can lead to bigger problems like system slowdowns or even data loss if vulnerabilities are exploited later.

01 — Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2023

Control Stack last updated

19 Mar 2026

E8 maturity levels

ML3

Guideline

Guidelines for system management

Section

System patching

Topic

Mitigating Known Vulnerabilities

Official control statement

Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

policy ASD Information Security Manual (ISM) ISM-1697

priority_high

Why it matters

If non-critical driver patches (no known working exploits) aren’t applied within 1 month, exposure to privilege escalation or device compromise increases.

settings

Operational notes

Track vendor driver advisories; when rated non-critical and no working exploit exists, test then deploy within 1 month and record evidence of completion.

02 — Implement

build

Implementation tips

The IT team should regularly check for driver updates. This can be done by scheduling a monthly check using reliable software update tools that notify them when new patches are available.
System owners should create a priority list of drivers based on their importance to business operations. This helps in deciding which updates need to be attended to first, ensuring critical drivers are never missed.
Office managers should ensure staff are aware of the patching schedule. Communicating the plan in advance prevents downtime surprises and allows staff time to save work and power down systems as needed.
IT support should test updates in a controlled environment before full deployment. Create a small testing group to apply updates first, ensuring no adverse effects before rolling them out to the entire organisation.
Assign a team member to document all updates applied and any issues encountered. This log should include update dates, driver names, and systems affected for accountability and easy reference in case of future issues.

03 — Audit

fact_check

Audit / evidence tips

Askthe driver update schedule: Request the documented plan that shows how and when driver updates are checked

Goodincludes a structured and clear timeline that includes update checks every month
Goodincludes a log of test results with steps taken to address any problems before full implementation
Askstaff communication records: Request emails or notices sent to staff about scheduled updates

Gooddemonstrates proactive communication that gave staff adequate warning before updates occurred
Askto see the priority list for driver updates

Goodincludes an assessment of drivers based on their role in business operations and risk level
Askthe update log documentation: Request the record showing all updates applied and any encountered issues

Goodprovides comprehensive logs that track each update and any action taken

04 — Mappings

link

Cross-framework mappings

How ISM-1697 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.8	ISM-1697 requires applying vendor-provided mitigations for non-critical driver vulnerabilities within one month where no working exploits...
handshake Supports (1) expand_less
Annex A 5.7	ISM-1697 requires organisations to apply non-critical driver patches within one month when no working exploits exist

E8

Control	Notes	Details
sync_alt Partially overlaps (5) expand_less

E8-PA-ML1.6	ISM-1697 requires organisations to patch non-critical driver vulnerabilities within one month where no working exploits exist

E8-PO-ML3.4	ISM-1697 requires applying non-critical patches for driver vulnerabilities within one month when no working exploits exist
E8-PO-ML3.5	ISM-1697 requires organisations to apply vendor mitigations for driver vulnerabilities within one month when they are assessed as non-cri...
E8-PO-ML3.7	ISM-1697 requires applying non-critical driver patches within one month when no working exploits exist
E8-PO-ML3.8	ISM-1697 requires organisations to apply non-critical patches for driver vulnerabilities within one month when no working exploits exist
handshake Supports (6) expand_less

E8-AC-ML3.3	ISM-1697 requires patching non-critical driver vulnerabilities within one month when no working exploits exist

E8-PA-ML1.1	ISM-1697 requires organisations to patch non-critical driver vulnerabilities within one month when no working exploits exist
E8-PA-ML1.2	ISM-1697 requires organisations to apply non-critical driver patches within one month under defined exploitability conditions

E8-PO-ML1.1	ISM-1697 requires applying non-critical driver patches within one month when no working exploits exist
E8-PO-ML1.2	ISM-1697 requires organisations to apply non-critical driver patches within one month where no working exploits exist
E8-PO-ML3.1	ISM-1697 requires organisations to apply non-critical driver patches within one month where no working exploits exist
link Related (1) expand_less

E8-PO-ML3.6	ISM-1697 requires organisations to apply patches, updates or other vendor mitigations for non-critical driver vulnerabilities within one ...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.