Timely Application of Critical Security Patches
Apply critical patches to online systems within 48 hours to prevent vulnerability exploits.
Plain language
This control is about quickly fixing critical weaknesses in your online systems by updating them within two days of the patch being available. It matters because if you don’t update in time, hackers can exploit these vulnerabilities to steal information or cause significant harm to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delaying critical patching can expose online systems to known exploits, leading to data breaches and severe operational disruptions.
Operational notes
Automate patch workflows for internet-facing servers/devices; prioritise, test and deploy critical fixes within 48 hours, and record evidence.
Implementation tips
- IT staff should monitor for the release of critical patches by software vendors. They can do this by subscribing to vendor security alerts and regularly checking vendor websites for updates.
- The IT team should create a priority system for updates. They should label each patch as 'critical' or 'non-critical', focusing on 'critical' patches for systems that are exposed to the internet.
- Assign a lead IT professional to oversee patch installation on critical systems. They should ensure the patch is installed within 48 hours by scheduling a time to perform the update and verifying its success afterward.
- System owners should verify that critical systems function as expected after patch installation. They can run a set of basic operational tests to ensure no new problems have arisen.
- Office managers should ensure there is a protocol for informing staff about system changes due to critical patch updates. This can be done through emails or staff meetings, explaining why the updates are crucial for company security.
Audit / evidence tips
- AskA list of installed patches: Request a report showing patches applied to online systems over the past six months GoodReport shows updates were applied within 48 hours of their release
- AskThe system monitoring logs: Request logs that record when critical patches were identified and flagged. Check these logs for timeliness in identifying critical patches GoodLog shows vulnerabilities were identified quickly and within a day
- AskThe protocol document for patch management
- AskConfirmation records from system owners: Review emails or memos confirming post-update testing results. These documents should show successful testing that aligns with operational needs GoodIncludes timely confirmations free of significant issues
- AskThe communication logs to staff
Cross-framework mappings
How ISM-1877 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1877 requires a specific remediation outcome: applying critical vendor patches/mitigations to internet-facing operating systems withi... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| E8-PA-ML1.5 | ISM-1877 focuses on patching operating systems for internet-facing servers and internet-facing network devices within 48 hours when vulne... | |
| E8-PO-ML1.6 | E8-PO-ML1.6 requires applying non-critical OS patches to internet-facing servers and network devices within two weeks when no working exp... | |
| E8-PO-ML3.3 | ISM-1877 requires critical patching within 48 hours for operating systems on internet-facing servers and internet-facing network devices ... | |
| extension Depends on (1) expand_less | ||
| E8-PO-ML1.3 | ISM-1877 requires organisations to apply critical patches to internet-facing operating systems within 48 hours when vendor-critical or ex... | |
| link Related (1) expand_less | ||
| E8-PO-ML1.5 | ISM-1877 requires critical vendor patches/updates/mitigations for operating systems of internet-facing servers and internet-facing networ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.