Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.
Topic
When to patch vulnerabilities
Applicable to
all
History
Dec 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.
The existing control relating to applying patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices was relaxed from within two weeks of release to within one month of release.
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within two weeks of release.
References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within two weeks of release.
The existing controls relating to applying patches, updates or other vendor mitigations to vulnerabilities in ‘operating systems of workstations, servers and network devices’ was amended to ‘operating systems of workstations, non-internet-facing servers and non-internet-facing network devices’ to reduce confusion as to its applicability. [ISM-1695, ISM-1696]