Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
Topic
When to patch vulnerabilities
Applicable to
all
History
Dec 2023
Patches, updates or other vendor mitigations for vulnerabilities in firmware are applied within one month of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
The existing control relating to applying patches, updates or other vendor mitigations for vulnerabilities in drivers and firmware within two weeks of release was relaxed to within one month of release and split into two separate controls. Furthermore, the controls were amended to note that this relates to situations where vulnerabilities are assessed as non-critical by vendors and no working exploits exist. [ISM-1697, ISM-1904]