Essential Eight · Control 6
6.Patch Operating Systems
Last reviewed:
Patch or mitigate OS vulnerabilities within defined timeframes and remove end-of-life systems.
Why this mattersOperating systems are the foundation every other control relies on. Critical OS vulnerabilities exposed to the internet are exploited within hours of public disclosure.
Maturity-level breakdown
Maturity Level 1
Patches, updates, or other vendor mitigations for vulnerabilities in operating systems of internet-facing services are applied within 48 hours of release when an exploit exists, or within two weeks otherwise. Workstation, server, and network device OS patched within one month. Operating systems no longer supported by vendors are replaced.
Maturity Level 2
Automated asset discovery and weekly vulnerability scanning of internet-facing services. Operating systems of workstations, servers, and network devices patched within 48 hours of release when an exploit exists, or within two weeks otherwise. Latest release (or N-1) of an OS used.
Maturity Level 3
All operating systems patched within 48 hours of release when an exploit exists, or within two weeks otherwise. Automated patch deployment and validation. Evidence of patch deployment timestamps maintained for the IRAP audit trail.
EDUC4TE editorial note · applies to all maturity levels
Windows 10 reached mainstream end-of-support on 14 October 2025, but commercial organisations can enrol in Extended Security Updates (ESU) for up to three years through October 2028. ESU-enrolled Windows 10 devices that continue to receive critical and important security updates within the E8 timeframes remain compliant — they are not automatically EOL for E8 purposes. Plan migration to Windows 11 (or equivalent supported OS) within the ESU window so you exit it without a compliance gap.
Common gaps we see at ML2 assessments
- No timestamped audit trail of OS patch deployment
- Servers excluded from the workstation patching policy by oversight
- Network devices not in scope for the patching SLA