Timely Application of Vendor Patches for Non-Critical OS Vulnerabilities
Apply OS patches for non-critical issues within a month if no exploits exist.
Plain language
This control requires that updates for minor security issues in the operating systems of certain IT equipment be applied within a month, as long as no known security hacks are taking advantage of these issues. This matters because even small vulnerabilities can be discovered and exploited by cybercriminals over time, potentially leading to data breaches or disruption of services if not addressed in time.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of IT equipment other than workstations, servers and network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Neglecting non-critical OS patches on non-server/workstation equipment can leave known flaws unpatched, enabling compromise of less monitored IT devices.
Operational notes
Track vendor OS patch releases for non-server/workstation/network devices and apply non-critical fixes within 1 month when no working exploits are known.
Implementation tips
- The IT team should set a regular schedule to check for any new patches or updates from software vendors for non-critical vulnerabilities. They can do this by subscribing to vendor update notifications or regularly visiting vendor websites to ensure they don’t miss any updates.
- System owners should note down which pieces of equipment are eligible for these updates, focusing on those that aren’t standard workstations, servers, or network devices. They should create a list and update it periodically in case new equipment is added.
- The IT team should apply any found patches to the respective equipment within a month of release. This can often be done through remote management tools or during maintenance windows to avoid disrupting business operations.
- Management should ensure communication channels are set up where the IT team can report back on which patches have been applied, keeping everyone informed. A brief weekly check-in can help track progress and resolve any issues quickly.
- The office manager can monitor and support the process by ensuring the IT team has the resources and time they need to apply these patches promptly. This might include approving overtime or allocating budget for necessary tools or training.
Audit / evidence tips
-
Askthe patch management schedule: Request a copy of the schedule or calendar that the IT team uses to track patch release dates and application deadlines. Look to see if the schedule includes timelines for non-critical patch applications
Goodshows regular, documented intervals aligning with monthly update windows
-
Goodcontains specific entries with a focus on non-standard IT equipment
-
Askrecent patch implementation reports
Goodis a detailed log of the most recent patches applied within the last month
-
Askthe documented vendor communications that indicate new patches have been released
Goodis timely, showing regular checks and alerts from trusted vendors
-
Askmeeting minutes or notes from patch update check-ins
Goodis regular, with actionable items tracked and resolved
Cross-framework mappings
How ISM-1751 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1751 requires a specific patching outcome: non-critical vendor OS vulnerabilities (with no working exploits) on certain IT equipment ... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PO-ML3.4 | E8-PO-ML3.4 requires non-critical OS patching within one month for workstations, non-internet-facing servers and non-internet-facing netw... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.