Timely Patching of Critical Driver Vulnerabilities
Critical driver vulnerabilities must be fixed within 48 hours to prevent exploits.
Plain language
This control is about fixing known problems in software drivers, which are bits of code that help your computer talk to its hardware, as soon as possible. If these problems aren't fixed quickly, hackers might find a way to exploit them, which could lead to data breaches or system shutdowns.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in drivers are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Why it matters
Delaying critical driver patches can allow rapid exploitation, leading to privilege escalation, data theft, or service disruption.
Operational notes
Apply driver mitigations within 48 hours when vendors rate issues critical or exploits exist; automate alerts and track deployment to completion.
Implementation tips
- The IT team should set up a monitoring system to track when software vendors release updates or patches. They can do this by subscribing to vendor notifications via email or using a software tool that alerts them to new updates.
- The manager responsible for IT should ensure there is a clear process for categorising driver updates as critical, based on vendor assessments. They can maintain a checklist that the IT team uses whenever an update is released to quickly determine its importance.
- System administrators should coordinate the testing and application of these critical patches. They should follow a documented procedure that includes backing up essential systems before applying any update to ensure only safe changes are made.
- The procurement team should maintain contact information for all vendors. They need to ensure the contracts specify the vendor's responsibility to provide timely updates when vulnerabilities are identified.
- The office manager should schedule regular team meetings to discuss cybersecurity updates. During these meetings, the IT team can report on recent updates, their importance, and any issues that occurred during their application.
Audit / evidence tips
-
Askthe vendor notifications log: Request a report or emails that show when critical driver updates were announced by vendors
Goodis a complete record showing all updates with relevant dates
-
Askthe driver update process documentation
Gooddocument clearly outlines steps for identifying and classifying critical updates and demonstrates a history of correct categorisation
-
Aska systems backup record: Check for logs or records that show backups were taken before patches were applied
Goodexample is a backup log indicating dates and times of system backups corresponding to update events
-
Askthe IT team meeting minutes: These should record discussions about recent cybersecurity updates and procedures. Good minutes record specific updates discussed, any decisions made, and assigned actions regarding patch application
-
Asksigned vendor agreements: Review these agreements to ensure they include clauses on the timely provision of software updates
Goodshows explicit vendor obligations regarding update disclosures and timeframes
Cross-framework mappings
How ISM-1879 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1879 requires a specific, time-bound action: applying patches, updates or mitigations for critical driver vulnerabilities within 48 h... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PA-ML1.5 | E8-PA-ML1.5 requires applying critical patches for online services within 48 hours when rated critical or exploited | |
| E8-PO-ML1.5 | E8-PO-ML1.5 requires critical vendor patches or mitigations to be applied within 48 hours for operating systems on internet-facing server... | |
| extension Depends on (1) expand_less | ||
| E8-PO-ML1.2 | ISM-1879 requires organisations to apply critical driver patches or mitigations within 48 hours when vendor-critical or exploited, which ... | |
| link Related (1) expand_less | ||
| E8-PO-ML3.5 | E8-PO-ML3.5 requires organisations to apply vendor patches or mitigations for critical driver vulnerabilities within 48 hours (or when wo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.