Patch operating systems
16 controls in this part of theASD Essential Eight. Each control links to plain-English guidance, audit tips and cross-framework mappings.
E8-PO-ML1.1
Automated bi-weekly asset discovery for vulnerability scanning
E8-PO-ML1.2
Use a vulnerability scanner with an updated database
E8-PO-ML1.3
Use a daily vulnerability scanner for internet-facing systems
E8-PO-ML1.4
Use a vulnerability scanner fortnightly to find missing OS patches
E8-PO-ML1.5
Apply critical patches to internet-facing OS within 48 hours
E8-PO-ML1.6
Timely application of non-critical patches for internet-facing OS vulnerabilities
E8-PO-ML1.8
Replace unsupported operating systems
E8-PO-ML3.1
Vulnerability scanner used fortnightly to identify missing driver patches
E8-PO-ML3.2
At least fortnightly use of a vulnerability scanner for firmware
E8-PO-ML3.3
Apply critical patches to non-internet-facing OS within 48 hours
E8-PO-ML3.4
Non-critical OS patches applied within one month if no exploits exist
E8-PO-ML3.5
Apply critical driver patches within 48 hours
E8-PO-ML3.6
Apply non-critical driver patches within one month
E8-PO-ML3.7
Apply critical firmware patches within 48 hours
E8-PO-ML3.8
Firmware vulnerabilities patched within one month if non-critical and no exploits
E8-PO-ML3.9
The latest or previous OS release is used
Back to the full Essential Eight mitigation strategies control list, or browse the complete control library.