Timely Application of Non-Critical Security Patches
Apply non-critical software patches within two weeks to maintain system security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingPatches, updates or other vendor mitigations for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure any updates to your software that aren't urgent are still applied in a timely manner. It's important because even if a security risk isn't immediately dangerous, leaving it unpatched could allow someone to eventually find a way to exploit it, potentially putting your data and systems at risk.
Why it matters
Delaying non-critical patches beyond two weeks can expose browsers, email/PDF and security tools to emerging exploits, risking compromise and data integrity.
Operational notes
Track vendor advisories for browsers, office/email/PDF and security products; confirm “non-critical” and no known exploits, then deploy updates within 14 days.
Implementation tips
- The IT team should keep a calendar of software updates: They need to track when updates are released by software vendors. They can do this by subscribing to vendor mailing lists or using update management tools to receive notifications.
- The IT manager should assign a person responsible for testing updates: This person should be tasked with testing the updates in a controlled environment. They can do this by setting up a test system that mimics the actual system where the updates can be applied without risk to operations.
- System administrators should schedule update installations: Once tested, they should plan to apply these updates to the production systems within two weeks. This can be managed by setting up reminders and using update management software to automate the process where possible.
- The IT support team should inform staff about upcoming updates: They should communicate the schedule to all staff to ensure that any disruptions are minimised and staff know what to expect. This can be done through email announcements or a notice on the company's intranet.
- System owners should review update success: After updates are applied, they should check that everything is functioning correctly and that no issues have arisen from the new updates. They should verify this through direct feedback from users and by reviewing system logs for any anomalies.
Audit / evidence tips
-
Ask: the update schedule: Request the calendar or list of planned software updates
Good: shows all updates listed with clear dates and responsible persons assigned
-
Ask: testing records: Request documentation or reports on update testing
Good: includes test results with descriptions of fixes applied
-
Ask: to see update communication emails: Request copies of staff notifications about the updates
Good: shows clear, timely communication before updates
-
Ask: to view system logs post-updates: Request log files from systems after updates were applied
Good: is logs showing updates applied with no adverse events recorded
-
Ask: a review report: Request a report that details any post-update issues found by users
Good: is positive user feedback and confirmation of intended update benefits
Cross-framework mappings
How ISM-1901 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.8 | ISM-1901 requires a specific vulnerability treatment action: applying non-critical patches within two weeks for a defined set of high-ris... | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| E8-PA-ML3.1 | E8-PA-ML3.1 requires applying mitigations within 48 hours for critical or exploited vulnerabilities in specific end-user application cate... | |
| Supports (1) | ||
| E8-PA-ML1.4 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates for vulnerabilities in key user applications and security pro... | |
| Related (1) | ||
| E8-PA-ML3.2 | E8-PA-ML3.2 requires organisations to apply patches/updates/mitigations for specified end-user and security software within two weeks whe... | |