ISM-1751 policy ASD Information Security Manual (ISM)

Timely Application of Vendor Patches for Non-Critical OS Vulnerabilities

Apply OS patches for non-critical issues within a month if no exploits exist.

Preventative NC OS P ASD Information Security ManualGuidelines for system management vulnerability management

record_voice_over

Plain language

This control requires that updates for minor security issues in the operating systems of certain IT equipment be applied within a month, as long as no known security hacks are taking advantage of these issues. This matters because even small vulnerabilities can be discovered and exploited by cybercriminals over time, potentially leading to data breaches or disruption of services if not addressed in time.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

May 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system management

Section

System patching

Topic

Mitigating Known Vulnerabilities

Official control statement

Patches, updates or other vendor mitigations for vulnerabilities in operating systems of IT equipment other than workstations, servers and network devices are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.

policy ASD Information Security Manual (ISM) ISM-1751

priority_high

Why it matters

Neglecting non-critical OS patches on non-server/workstation equipment can leave known flaws unpatched, enabling compromise of less monitored IT devices.

settings

Operational notes

Track vendor OS patch releases for non-server/workstation/network devices and apply non-critical fixes within 1 month when no working exploits are known.

02 - Implement

build

Implementation tips

The IT team should set a regular schedule to check for any new patches or updates from software vendors for non-critical vulnerabilities. They can do this by subscribing to vendor update notifications or regularly visiting vendor websites to ensure they don’t miss any updates.
System owners should note down which pieces of equipment are eligible for these updates, focusing on those that aren’t standard workstations, servers, or network devices. They should create a list and update it periodically in case new equipment is added.
The IT team should apply any found patches to the respective equipment within a month of release. This can often be done through remote management tools or during maintenance windows to avoid disrupting business operations.
Management should ensure communication channels are set up where the IT team can report back on which patches have been applied, keeping everyone informed. A brief weekly check-in can help track progress and resolve any issues quickly.
The office manager can monitor and support the process by ensuring the IT team has the resources and time they need to apply these patches promptly. This might include approving overtime or allocating budget for necessary tools or training.

03 - Audit

fact_check

Audit / evidence tips

AskThe patch management schedule: Request a copy of the schedule or calendar that the IT team uses to track patch release dates and application deadlines. Look to see if the schedule includes timelines for non-critical patch applications GoodShows regular, documented intervals aligning with monthly update windows
GoodContains specific entries with a focus on non-standard IT equipment
AskRecent patch implementation reports GoodIs a detailed log of the most recent patches applied within the last month
AskThe documented vendor communications that indicate new patches have been released GoodIs timely, showing regular checks and alerts from trusted vendors
AskMeeting minutes or notes from patch update check-ins GoodIs regular, with actionable items tracked and resolved

04 - Mappings

link

Cross-framework mappings

How ISM-1751 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control	Notes	Details
layers Partially meets (1) expand_less
Annex A 8.8	ISM-1751 requires a specific patching outcome: non-critical vendor OS vulnerabilities (with no working exploits) on certain IT equipment ...

E8

Control	Notes	Details
sync_alt Partially overlaps (1) expand_less
E8-PO-ML3.4	E8-PO-ML3.4 requires non-critical OS patching within one month for workstations, non-internet-facing servers and non-internet-facing netw...

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.