Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
Topic
When to patch vulnerabilities
Applicable to
all
History
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.
Sep 2023
Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
The existing controls relating to applying patches, updates or other vendor mitigations to vulnerabilities in ‘operating systems of workstations, servers and network devices’ was amended to ‘operating systems of workstations, non-internet-facing servers and non-internet-facing network devices’ to reduce confusion as to its applicability. [ISM-1695, ISM-1696]