At Maturity Level One, the focus of the ACSC Essential Eight control for Patch Operating Systems is on implementing a consistent and repeatable process to identify and apply patches to all operating systems in use. The objective is to reduce the likelihood that known vulnerabilities can be exploited, particularly on internet-facing systems. At this level, patching may still rely on manual processes, with limited automation or centralized management, but there is a clear expectation of routine and timely updates.
Organizations at this level are expected to:
- Use a vulnerability scanner with an up-to-date vulnerability database to identify missing OS patches and updates.
- Scan internet-facing servers and network devices at least daily to detect vulnerabilities.
- Scan all other operating systems at least fortnightly to identify missing patches or updates.
- Apply security patches for internet-facing systems within 48 hours of release or when working exploits exist.
- Apply non-critical or internal system patches within two weeks of release.
- Remove or isolate unsupported or end-of-life operating systems that can no longer receive security updates.
By achieving Maturity Level One, an organization demonstrates that it can detect and remediate vulnerabilities in its operating systems within defined timeframes, significantly reducing exposure to common exploit vectors. This establishes the foundation for more mature, automated patch management and configuration assurance practices.
Patch Operating Systems: Maturity Level One
| Control | Requirement |
|---|---|
| Patch Operating Systems | An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities. |
| A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities. | |
| A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices. | |
| A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices. | |
| Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist. | |
| Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist. | |
| Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release. | |
| Operating systems that are no longer supported by vendors are replaced. |
Next Steps & Related Posts
Choosing an RMM Client for Patch Management
Vulnerability Scanning OS and Patch Management | The First Step Toward Essential Eight Compliance