Timely Application of Non-Critical Security Patches
Apply non-critical software patches within two weeks to maintain system security.
Plain language
This control is about making sure any updates to your software that aren't urgent are still applied in a timely manner. It's important because even if a security risk isn't immediately dangerous, leaving it unpatched could allow someone to eventually find a way to exploit it, potentially putting your data and systems at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Delaying non-critical patches beyond two weeks can expose browsers, email/PDF and security tools to emerging exploits, risking compromise and data integrity.
Operational notes
Track vendor advisories for browsers, office/email/PDF and security products; confirm “non-critical” and no known exploits, then deploy updates within 14 days.
Implementation tips
- The IT team should keep a calendar of software updates: They need to track when updates are released by software vendors. They can do this by subscribing to vendor mailing lists or using update management tools to receive notifications.
- The IT manager should assign a person responsible for testing updates: This person should be tasked with testing the updates in a controlled environment. They can do this by setting up a test system that mimics the actual system where the updates can be applied without risk to operations.
- System administrators should schedule update installations: Once tested, they should plan to apply these updates to the production systems within two weeks. This can be managed by setting up reminders and using update management software to automate the process where possible.
- The IT support team should inform staff about upcoming updates: They should communicate the schedule to all staff to ensure that any disruptions are minimised and staff know what to expect. This can be done through email announcements or a notice on the company's intranet.
- System owners should review update success: After updates are applied, they should check that everything is functioning correctly and that no issues have arisen from the new updates. They should verify this through direct feedback from users and by reviewing system logs for any anomalies.
Audit / evidence tips
-
Askthe update schedule: Request the calendar or list of planned software updates
Goodshows all updates listed with clear dates and responsible persons assigned
-
Asktesting records: Request documentation or reports on update testing
Goodincludes test results with descriptions of fixes applied
-
Askto see update communication emails: Request copies of staff notifications about the updates
Goodshows clear, timely communication before updates
-
Askto view system logs post-updates: Request log files from systems after updates were applied
Goodis logs showing updates applied with no adverse events recorded
-
Aska review report: Request a report that details any post-update issues found by users
Goodis positive user feedback and confirmation of intended update benefits
Cross-framework mappings
How ISM-1901 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1901 requires a specific vulnerability treatment action: applying non-critical patches within two weeks for a defined set of high-ris... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PA-ML3.1 | E8-PA-ML3.1 requires applying mitigations within 48 hours for critical or exploited vulnerabilities in specific end-user application cate... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML1.4 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates for vulnerabilities in key user applications and security pro... | |
| link Related (1) expand_less | ||
| E8-PA-ML3.2 | E8-PA-ML3.2 requires patches for non-critical vulnerabilities in office suites, browsers, email clients, PDF software, and security produ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.