Apply Critical Patches Within 48 Hours
Install critical patches for online services within 48 hours when notified by the vendor or if exploits are present.
Plain language
This control is all about being quick to fix critical issues in your online services. When a vendor releases an important update or a security hole has been found, it's crucial to patch it within 48 hours. This prevents hackers from exploiting known weaknesses, which could lead to data breaches, financial loss, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in online services are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Failure to apply critical patches within 48 hours can allow rapid exploitation of known flaws in online services, causing breaches and outage.
Operational notes
Monitor vendor alerts for critical or exploited flaws and use an emergency change process to deploy patches to online services within 48 hours.
Implementation tips
- IT team should monitor for updates: Regularly check for alerts and emails from your software vendors about critical updates. Use an updates dashboard or sign up for email alerts to stay informed.
- System owners should prioritise critical updates: Create a list of essential online services and their vulnerabilities. Make sure these are patched first by setting them as a priority in your patch management software.
- Managers should allocate resources for quick response: Ensure enough staff are available to test and apply patches within the required timeframe. This might involve scheduling on-call personnel specifically for critical patch days.
- IT support should establish a routine patching process: Develop a step-by-step guide for deploying patches that includes backing up systems, applying updates, and testing them in a non-production environment first to minimise disruption.
- Document patch applications: The IT team should keep records of when and how updates are applied, detailing any issues encountered. Use a spreadsheet or digital log to track patch status and follow-up actions.
Audit / evidence tips
- AskThe patch logs from the IT department: Request documentation showing when updates were received and applied GoodIncludes exact patch dates and times that match vendor release notes
- GoodClearly defined critical systems with documented approval
- AskChange management records: Request records that track changes made during patch application GoodIncludes thorough notes with no significant downtime or issues reported
- GoodIncludes a routine acknowledgment system marking critical items as urgent
- AskDocumented procedures in case a patch fails GoodProvides a step-by-step action plan, tested and ready to ensure systems remain operational
Cross-framework mappings
How ISM-1876 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1876 requires critical patches or vendor mitigations for online services to be applied within 48 hours when vendors rate vulnerabilit... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-PO-ML1.5 | E8-PO-ML1.5 requires critical vendor patches or mitigations to be applied within 48 hours for operating systems on internet-facing server... | |
| E8-PA-ML1.6 | E8-PA-ML1.6 requires patching vulnerabilities in online services within two weeks when vendors assess them as non-critical and no working... | |
| E8-PO-ML3.3 | ISM-1876 requires applying critical patches for vulnerabilities in online services within 48 hours based on vendor criticality or the pre... | |
| E8-PO-ML3.7 | ISM-1876 requires critical patches or mitigations for vulnerabilities in online services within 48 hours when vendors rate them critical ... | |
| link Related (1) expand_less | ||
| E8-PA-ML1.5 | E8-PA-ML1.5 requires patches, updates or vendor mitigations for critical vulnerabilities in online services to be applied within 48 hours... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.