Apply Firmware Patches for Non-Critical Vulnerabilities
Install patches for minor firmware issues within a month if there're no immediate threats.
Plain language
Think of firmware as the basic software that lets your hardware work correctly. If we don't regularly update it, even for non-critical issues, those small problems can turn into bigger ones, like security holes that hackers might try to exploit later. By keeping this up to date, we're preventing minor issues from becoming major headaches down the line.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Why it matters
Delaying non-critical firmware patches beyond a month can leave known flaws unmitigated, increasing risk of compromise and device instability over time.
Operational notes
Track vendor firmware advisories; if rated non-critical and no working exploit exists, schedule and apply patches within 30 days, recording assessment and completion.
Implementation tips
- System owners should keep track of firmware updates: Set up a simple schedule to check once a month for any new firmware updates or patches released by your hardware vendors. This could involve signing up for vendor newsletters or setting a calendar reminder to visit their support website.
- IT teams should install patches: Once a firmware update is identified, the IT team should download and install it on the relevant hardware. Ensure they have a step-by-step checklist to follow, so that each device is updated correctly and tested to confirm everything works fine afterwards.
- Managers should oversee update compliance: Managers need to ensure that their teams are applying firmware updates as scheduled. They can do this by organising monthly check-in meetings to review the status of patches and updates across the organisation's devices.
- Employees using devices should report issues: Staff members should be encouraged to report any abnormal device behaviour, which might indicate out-of-date firmware, to the IT team immediately. A simple form or email template can be set up for this purpose.
- Procurement should include update plans in vendor contracts: When buying new hardware, the procurement team should ensure that contracts include provisions for regular firmware updates from the vendor. This could involve checking that the vendor has a clear support and update policy before finalising any purchase.
Audit / evidence tips
- AskThe firmware update schedule: Request to see the calendar or system that tracks when firmware updates should be checked and applied GoodA well-maintained schedule with past check dates and upcoming reminders
- AskPatch logs or records: Require logs showing when and what firmware patches have been applied GoodA log file or report showing consistent monthly updates with clear details
- AskIncident reports of firmware issues: Request any records of device malfunctions or issues reported possibly due to outdated firmware GoodIncident logs showing rapid resolution and follow-up action
- AskTo see vendor communication logs: Request emails or notes from vendor interactions about firmware updates GoodRegular communications with vendors showing awareness and action on keeping firmware patched
- AskTo see procurement contracts: Request contracts or agreements with hardware vendors. Check for clauses about firmware support and update commitments GoodContracts including clauses that obligate vendors to offer regular firmware updates
Cross-framework mappings
How ISM-1904 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1904 requires a specific remediation action: apply vendor firmware mitigations within one month for non-critical, non-exploited vulne... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| E8-PO-ML3.2 | E8-PO-ML3.2 requires organisations to scan firmware at least fortnightly to identify missing patches or updates | |
| E8-PO-ML3.4 | E8-PO-ML3.4 requires applying non-critical operating system patches within one month on internal workstations, non-internet-facing server... | |
| E8-PO-ML3.6 | ISM-1904 requires vendor firmware patches/updates/mitigations to be applied within one month when vulnerabilities are non-critical and th... | |
| E8-PO-ML3.7 | ISM-1904 requires applying firmware patches within one month when vulnerabilities are non-critical and no working exploits exist | |
| link Related (1) expand_less | ||
| E8-PO-ML3.8 | E8-PO-ML3.8 requires patches, updates, or vendor mitigations for non-critical firmware vulnerabilities to be applied within one month whe... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.