Timely Resolution of Identified Software Vulnerabilities
Software vulnerabilities should be fixed quickly to prevent potential security risks.
Plain language
This control means that any weaknesses found in your software should be addressed quickly to keep your organisation safe. If you don't fix these vulnerabilities in a timely manner, hackers might exploit them to steal data, disrupt operations, or cause other harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Vulnerabilities identified in software are resolved in a timely manner.
Why it matters
Delaying vulnerability fixes can lead to exploits, with attackers gaining access to sensitive data or disrupting critical operations.
Operational notes
Run regular vulnerability scans and patch promptly; prioritise remediation by severity, exploitability and asset criticality to reduce the likelihood of compromise.
Implementation tips
- IT team should establish a process for identifying software vulnerabilities: Regularly use automated tools to scan software for vulnerabilities. Set up alerts for when new vulnerabilities are discovered.
- System owner should prioritise vulnerabilities based on risk: Evaluate the potential impact of each vulnerability on operations and data security. Prioritise fixes for the most critical vulnerabilities that could cause the most harm.
- IT team should develop and apply patches or updates: Ensure that software updates are created or sourced, tested, and applied swiftly after vulnerabilities are identified. This might involve coordinating with software vendors if third-party products are affected.
- Manager should allocate resources and support for timely resolutions: Ensure that the IT team has sufficient time, budget, and personnel to address vulnerabilities quickly. Regularly review resource allocation to maintain effectiveness.
- System owner should document and communicate resolution plans: Clearly document each vulnerability, the resolution steps taken, and the timeline. Share this information with relevant stakeholders to keep them informed and engaged in the process.
Audit / evidence tips
- AskVulnerability assessment reports: Request the latest scans and reports that identify software vulnerabilities GoodIncludes recent and detailed vulnerability findings
- AskThe prioritisation criteria document: Request the policy or criteria used to prioritise which software vulnerabilities to address first GoodShows a structured approach to prioritisation
- AskThe remediation action plan: Request documentation showing how identified vulnerabilities are fixed GoodIs a detailed plan that is actively followed
- AskEvidence of applied patches: Request logs or records of updates applied to the software GoodIs a complete and recent patch history
- AskResource allocation records: Request documentation showing allocated resources for vulnerability management GoodShows management support and resource alignment
Cross-framework mappings
How ISM-1754 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (1) expand_less | ||
| link Related (3) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.