Essential Eight · Control 2
2.Patch Applications
Last reviewed:
Patch or mitigate vulnerabilities in applications within defined timeframes.
Why this mattersUnpatched applications are the most common initial-access vector in Australian cyber incidents. The 48-hour critical patch window (Nov 2023 update) is the highest-leverage timeframe at every maturity level.
Maturity-level breakdown
Maturity Level 1
Patches, updates, or other vendor mitigations for vulnerabilities in internet-facing services applied within 48 hours of release when an exploit exists, or within two weeks otherwise. Other applications patched within one month. Applications that are no longer supported by vendors are removed.
Maturity Level 2
Automated method of asset discovery used at least fortnightly. Vulnerability scanner used at least weekly. Patches for online services and office productivity suites applied within 48 hours where an exploit exists, or two weeks otherwise.
Maturity Level 3
Patches, updates, or other vendor mitigations for vulnerabilities applied within 48 hours of release when an exploit exists. Vulnerability scanner used at least daily for internet-facing services. Evidence of patch deployment timestamps maintained for the IRAP audit trail.
Common gaps we see at ML2 assessments
- No timestamped audit trail of when patches were deployed
- Microsoft 365 Apps left on the semi-annual channel instead of monthly
- Browser patches not tracked separately from OS updates