Apply Critical Patches Within 48 Hours
Critical system updates must be installed within 48 hours to prevent security risks.
Plain language
Critical security updates for your IT systems should be installed within 48 hours when deemed critical by vendors. This is crucial because failing to act quickly could leave your systems vulnerable to cyber attacks, which can lead to data breaches, financial losses, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of IT equipment other than workstations, servers and network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
If critical OS patches are not applied within 48 hours, known or exploited vulnerabilities may be rapidly abused, causing outages, data compromise and financial loss.
Operational notes
Monitor vendor advisories and exploit intel, prioritise critical OS patches for non-workstation/server/network devices, and automate deployment to meet the 48-hour window.
Implementation tips
- Assign responsibility: Designate an IT team member or specialist to monitor security update announcements from your software vendors. They should subscribe to vendor notifications or alerts to stay informed about any new patches.
- Establish a patching schedule: Your IT team should create and maintain a calendar that outlines when critical updates need to be applied. This can be done by setting reminders and regularly checking in with vendors for any critical updates.
- Create a testing environment: An IT technician should set up a separate testing environment to trial new patches before applying them company-wide. This helps ensure that updates don’t disrupt your systems.
- Implement an approval process: Managers should establish a quick approval process for applying critical patches. This can be a simple protocol where the IT team explains the necessity of the patch to decision-makers without delay.
- Automate where possible: Use patch management software if budget allows, to automatically apply critical patches. Your IT team can set thresholds to identify which types of updates should automatically be applied.
Audit / evidence tips
-
Askpatch management policy: Review the organisation’s document outlining how patches are managed
Goodincludes a detailed policy that specifies timelines and responsibilities for patching
-
Askrecords of applied patches from the IT team, ideally over the last six months
Goodlog shows patches applied within 48 hours of release when marked critical
-
Goodshows active subscription to multiple vendor alert systems
-
Askrecent case examples: Request a demonstration or report of a recent critical patch application
Goodincludes prompt action logs and minimal disruption reports
-
Goodprocess includes a logical setup and evidence of regular use
Cross-framework mappings
How ISM-1878 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1878 requires critical OS patches to be applied within 48 hours for certain categories of IT equipment when vendors rate vulnerabilit... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PO-ML1.5 | ISM-1878 requires critical OS patches for IT equipment (other than workstations, servers and network devices) to be applied within 48 hou... | |
| E8-PO-ML3.3 | ISM-1878 mandates applying critical OS patches within 48 hours for IT equipment other than workstations, servers and network devices, bas... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.