June 26, 2022

Essential Eight Maturity Model: Patch Operating Systems

Paul Green
Senior Consultant at Business Aspect
In 2021, the Australian Cyber Security Centre (ACSC) updated the Essential Eight Strategies to Mitigate Cyber Security Incidents Maturity Model, to keep pace with the current threat landscape. While the eight strategies remain the same except for minor name changes, there have been changes to the controls that comprise each scenario.

Please take some time to read all of the previous articles on the updated Essential Eight Maturity Model; the links are at the bottom of this article.

IT security is a moving target, the threat landscape is constantly changing. Just as one vulnerability is fixed, another emerges. Vendors respond by releasing another patch for the relevant operating system, and so the cycle continues.

How prompt do you patch?

When those patches are not applied, it can result in a playground for cyber criminals. Unpatched operating systems are the most common external attack method1 and are widely used to compromise your environment.

Staying up to speed with a patching schedule is easier said than done. A record number of software vulnerabilities were reported last year, over 20,000 Common Vulnerability Exploits (CVEs)2, flooding IT teams with threats to review. It’s easy to fall behind on patching for a number of reasons; lack of resources, software compatibility concerns or infrastructure complexity are the top three.

One organisation we worked with approached us when the worst happened – after not applying patches for up to six years, intruders caused comprehensive damage, and it took months for that organisation to fully recover. Not surprisingly, then, the ACSC Essential Eight places high importance on patching operating systems.

Patching operating systems is one of the easier Essential Eight strategies to understand, with only eight controls across all three maturity levels. However, it’s got to be one of the toughest to achieve, with some very demanding timeframes that would stress even the best IT teams.

Let’s get started and help you understand what’s required.

Patching Operating Systems – Maturity Level One

Every organisation should strive for a minimum of maturity level one in order to demonstrate a responsible approach to securing their systems and data. In some industry sectors, this may be mandated.

“Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.”

The faster patches are applied, the less time an intruder has to wreak havoc. However, keeping up with the pace of patch releases is a big ask for the average IT team.

In maturity level one, the ACSC’s expectation is that patches are applied to online services within two weeks, or two days if a vulnerability exits. Automation is the key to patch management and ensuring you meet these timelines consistently. There are a number of tools and information sources available to help.

Prioritising patches is essential too, I recommend starting with the most critical vulnerabilities, environments or services first, then working back. How do you know of vulnerabilities or if an exploit exists?

Third party threat intelligence tools are your friend here. You can also subscribe to reputable sources such as:

These sources will keep you across the big events, but a Managed Security Operations Centre (SOC) service will give you most proactive and timely support, with details of the vulnerability, rated in importance to help you to prioritise your response.

“Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.”

Prioritisation is the key message of this control. If a burglar is circling your house looking for an entry point, you probably want to make sure the doors are locked, before you try to decide if they would fit through the cat flap into the empty garage. Tackle customer or user-facing servers first because this is the frontline of your organisation. Protect business continuity, customers and users.

“A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services.”

Running a daily vulnerability scan or having always-on threat monitoring enabled is a must-do for basic patch management protection. I’d recommend Tenable for reliable vulnerability management tool.

Data#3 offers a variety of services to help you identify and address vulnerabilities. Consider one-off vulnerability or penetration tests, a Managed Risk solution offering full vulnerability lifecycle management or a Managed Detection and Response (MDR) service for complete threat detection and remediation support.

“A vulnerability scanner is used at least fortnightly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices.”

Unlike your critical internet-facing services above, you can relax the cadence of vulnerability scanning for workstations, servers and network devices to fortnightly.

This control is designed to allow additional time to manage network devices. Switches, hubs, modems, and routers usually require manual effort and can be difficult to automate patch management and security controls. This also tends to be a quiet specialised process requiring some sturdy connectivity skills and is one of the areas that organisations most typically seek after-market help from a partner like Data#3.

Nobody wants to be the guy that tweaked a security control and disrupts the careful balance of their IT ecosystem, heaven forbid crashes the internal network. Much like painting a house, it is one of those scenarios where a specialist can do in a few hours what may take others days or weeks to get a less pleasing result.

When it comes to workstations, patch management is made much easier if you are working with limited device types. Consider security when building your device strategy to make the fleet easier to secure and maintain. Supporting and securing many different versions of operating systems on a wide variety of devices is challenging. As we always say, complexity is the enemy of security. The fewer operating systems and versions of you need to secure for, the easier confidently securing your fleet will be.

Using a vulnerability scanner such as Tenable daily can identify where patches are missing before it causes a crisis. I’d also recommended amplifying your device security with an endpoint protection solution such as Microsoft Endpoint Manager or services such as DaaS and Technology Intelligence.

“Operating systems that are no longer supported by vendors are replaced.”

While it sounds simple, this is something that demands excellent visibility and a solid maintenance plan. End of life updates take a fair bit of planning, especially where a key device needs to be replaced. Unsupported operating systems are not something you want to discover at the last minute or, worse, when it’s already out of support. As a last resort, your scanner will tell when a server patch hasn’t taken, and that can be an indicator that something has slipped the net. Better, though, to have a system that lets you know well in advance.

Patching Operating Systems – Maturity Level Two

The measures applied to achieve maturity level 2 for patching operating systems are very similar to maturity level 1, except two controls are expected to be actioned faster and more frequently. You must implement all the level 1 and 2 controls to meet maturity level 2.


“Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.”

(As above, ML1) The faster patches are applied, the less time an intruder has to wreak havoc. However, keeping up with the pace of patch releases is a big ask for the average IT team.

In maturity level one, the ACSC’s expectation is that patches are applied to online services within two weeks, or two days if a vulnerability exits. Automation is the key to patch management and ensuring you meet these timelines consistently. There are a number of tools and information sources available to help.

Prioritising patches is essential too, I recommend starting with the most critical vulnerabilities, environments or services first, then working back. How do you know of vulnerabilities or if an exploit exists?

Third party threat intelligence tools are your friend here. You can also subscribe to reputable sources such as:

  • the ACSC’s email updates
  • the CVE newsletter
  • a monthly Security Newsletter from Microsoft or other vendors
  • SecurityHQ’s Knowledge Base including monthly threat advisory blogs
  • the US Cybersecurity and Infrastructure Security Agency
  • the NIST Vulnerability Database

These sources will keep you across the big events, but a Managed Security Operations Centre (SOC) service will give you most proactive and timely support, with details of the vulnerability, rated in importance to help you to prioritise your response.

Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.”

(As above, ML1) Prioritisation is the key message of this control. If a burglar is circling your house looking for an entry point, you probably want to make sure the doors are locked, before you try to decide if they would fit through the cat flap into the empty garage. Tackle customer or user-facing servers first because this is the frontline of your organisation. Protect business continuity, customers and users.

“A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services.”

(As above, ML1) Running a daily vulnerability scan or having always-on threat monitoring enabled is a must-do for basic patch management protection. I’d recommend Tenable for reliable vulnerability management tool.

Data#3 offers a variety of services to help you identify and address vulnerabilities. Consider one-off vulnerability or penetration tests, a Managed Risk solution offering full vulnerability lifecycle management or a Managed Detection and Response (MDR) service for complete threat detection and remediation support.

“A vulnerability scanner is used at least fortnightly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices.”

(As above, ML1) Unlike your critical internet-facing services above, you can relax the cadence of vulnerability scanning for workstations, servers and network devices to fortnightly.

This control is designed to allow additional time to manage network devices. Switches, hubs, modems, and routers usually require manual effort and can be difficult to automate patch management and security controls. This also tends to be a quiet specialised process requiring some sturdy connectivity skills and is one of the areas that organisations most typically seek after-market help from a partner like Data#3.

Nobody wants to be the guy that tweaked a security control and disrupts the careful balance of their IT ecosystem, heaven forbid crashes the internal network. Much like painting a house, it is one of those scenarios where a specialist can do in a few hours what may take others days or weeks to get a less pleasing result.

When it comes to workstations, patch management is made much easier if you are working with limited device types. Consider security when building your device strategy to make the fleet easier to secure and maintain. Supporting and securing many different versions of operating systems on a wide variety of devices is challenging. As we always say, complexity is the enemy of security. The fewer operating systems and versions of you need to secure for, the easier confidently securing your fleet will be.

Using a vulnerability scanner such as Tenable daily can identify where patches are missing before it causes a crisis. I’d also recommended amplifying your device security with an endpoint protection solution such as Microsoft Endpoint Manager or services such as DaaS and Technology Intelligence.

“Operating systems that are no longer supported by vendors are replaced.”

(As above, ML1) While it sounds simple, this is something that demands excellent visibility and a solid maintenance plan. End of life updates take a fair bit of planning, especially where a key device needs to be replaced. Unsupported operating systems are not something you want to discover at the last minute or, worse, when it’s already out of support. As a last resort, your scanner will tell when a server patch hasn’t taken, and that can be an indicator that something has slipped the net. Better, though, to have a system that lets you know well in advance.


“Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release.”

For maturity level 2, the timeframe shortens from one month to two weeks. Time is a gift for intruders to explore an organisation’s systems, so this measure limits their activities and reduces your time-to-discovery. However, this is an extremely challenging timeframe that most organisations will find incredibly hard to keep up with, without automation or a massive team of experts. It is worth taking some time to discuss within your organisation and with trusted technology partners what time is acceptable to suit your needs and risk profile.

“A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices.”

Again, the timeframes reduce for maturity level 2, shutting down vulnerabilities more rapidly. The time is halved here, compared to maturity level 1 and for the more specialised systems, this degree of frequency would be very challenging without experts on hand.

Patching Operating Systems – Maturity Level 3



“Patches, updates or vendor mitigations for security vulnerabilities in operating systems of internet-facing services are applied within two weeks of release, or within 48 hours if an exploit exists.”

(As above, ML1) The faster patches are applied, the less time an intruder has to wreak havoc. However, keeping up with the pace of patch releases is a big ask for the average IT team.

In maturity level one, the ACSC’s expectation is that patches are applied to online services within two weeks, or two days if a vulnerability exits. Automation is the key to patch management and ensuring you meet these timelines consistently. There are a number of tools and information sources available to help.

Prioritising patches is essential too, I recommend starting with the most critical vulnerabilities, environments or services first, then working back. How do you know of vulnerabilities or if an exploit exists?

Third party threat intelligence tools are your friend here. You can also subscribe to reputable sources such as:

  • the ACSC’s email updates
  • the CVE newsletter
  • a monthly Security Newsletter from Microsoft or other vendors
  • SecurityHQ’s Knowledge Base including monthly threat advisory blogs
  • the US Cybersecurity and Infrastructure Security Agency
  • the NIST Vulnerability Database

These sources will keep you across the big events, but a Managed Security Operations Centre (SOC) service will give you most proactive and timely support, with details of the vulnerability, rated in importance to help you to prioritise your response.

Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within one month of release.”

(As above, ML1) Prioritisation is the key message of this control. If a burglar is circling your house looking for an entry point, you probably want to make sure the doors are locked, before you try to decide if they would fit through the cat flap into the empty garage. Tackle customer or user-facing servers first because this is the frontline of your organisation. Protect business continuity, customers and users.

“A vulnerability scanner is used at least daily to identify missing patches for security vulnerabilities in operating systems of internet-facing services.”

(As above, ML1) Running a daily vulnerability scan or having always-on threat monitoring enabled is a must-do for basic patch management protection. I’d recommend Tenable for reliable vulnerability management tool.

Data#3 offers a variety of services to help you identify and address vulnerabilities. Consider one-off vulnerability or penetration tests, a Managed Risk solution offering full vulnerability lifecycle management or a Managed Detection and Response (MDR) service for complete threat detection and remediation support.

“A vulnerability scanner is used at least fortnightly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices.”

(As above, ML1) Unlike your critical internet-facing services above, you can relax the cadence of vulnerability scanning for workstations, servers and network devices to fortnightly.

This control is designed to allow additional time to manage network devices. Switches, hubs, modems, and routers usually require manual effort and can be difficult to automate patch management and security controls. This also tends to be a quiet specialised process requiring some sturdy connectivity skills and is one of the areas that organisations most typically seek after-market help from a partner like Data#3.

Nobody wants to be the guy that tweaked a security control and disrupts the careful balance of their IT ecosystem, heaven forbid crashes the internal network. Much like painting a house, it is one of those scenarios where a specialist can do in a few hours what may take others days or weeks to get a less pleasing result.

When it comes to workstations, patch management is made much easier if you are working with limited device types. Consider security when building your device strategy to make the fleet easier to secure and maintain. Supporting and securing many different versions of operating systems on a wide variety of devices is challenging. As we always say, complexity is the enemy of security. The fewer operating systems and versions of you need to secure for, the easier confidently securing your fleet will be.

Using a vulnerability scanner such as Tenable daily can identify where patches are missing before it causes a crisis. I’d also recommended amplifying your device security with an endpoint protection solution such as Microsoft Endpoint Manager or services such as DaaS and Technology Intelligence.

“Operating systems that are no longer supported by vendors are replaced.”

(As above, ML1) While it sounds simple, this is something that demands excellent visibility and a solid maintenance plan. End of life updates take a fair bit of planning, especially where a key device needs to be replaced. Unsupported operating systems are not something you want to discover at the last minute or, worse, when it’s already out of support. As a last resort, your scanner will tell when a server patch hasn’t taken, and that can be an indicator that something has slipped the net. Better, though, to have a system that lets you know well in advance.

“Patches, updates or vendor mitigations for security vulnerabilities in operating systems of workstations, servers and network devices are applied within two weeks of release.”

(As above, ML2) For maturity level 2, the timeframe shortens from one month to two weeks. Time is a gift for intruders to explore an organisation’s systems, so this measure limits their activities and reduces your time-to-discovery. However, this is an extremely challenging timeframe that most organisations will find incredibly hard to keep up with, without automation or a massive team of experts. It is worth taking some time to discuss within your organisation and with trusted technology partners what time is acceptable to suit your needs and risk profile.

“A vulnerability scanner is used at least weekly to identify missing patches for security vulnerabilities in operating systems of workstations, servers and network devices.”

(As above, ML2) Again, the timeframes reduce for maturity level 2, shutting down vulnerabilities more rapidly. The time is halved here, compared to maturity level 1 and for the more specialised systems, this degree of frequency would be very challenging without experts on hand.


The majority of the controls remain the same for achieving maturity level 3. As per above:

  • patching internet-facing services is expected within two weeks of release, or within 48hrs if an exploit exists
  • patching workstations, servers and network devices within two weeks of release, or within 48hrs if an exploit exists
  • daily vulnerability scans of internet-facing services
  • weekly vulnerability scan of workstations, servers and network devices
  • unsupported operating systems are replaced

This leaves only 1 new control you would need to implement to achieve maturity level 3 in patching operating systems, which is:

“The latest release, or the previous release, of operating systems are used for workstations, servers and network devices.”

Essentially, you’re 100% up-to-date, all the time, on rolling out the latest operating systems. That’s a mammoth task and one I honestly think many organisations will never achieve, certainly not without automation.

The big question here, though, is what counts as a release for the purpose of the Essential Eight? Start by determining whether this process applies to every minor release or just major releases in your organisation.

One way we see businesses getting close to achieving this control, is by automatically deploying the update one-week after release of the latest version of a system. This gives a week for early adopters to discover any problems, report bugs and allows the vendor time to adjust before our customers apply the patch.

If you’re keen to get your patches out even sooner, you might like to consider joining an early adopters’ program and assisting in the beta testing of new software releases yourself.

Where to from here?

Patching operating systems is the toughest set of Essential Eight controls for most organisations to meet, especially at the higher maturity levels. Most businesses we work with are coming from a patch cycle of every 6-8 weeks, and in some cases, longer. The best first step is a scanning service, as this makes many of the other controls less demanding and gives you a clearer picture. You can build a strategy from there, prioritising by risk level. Don’t forget, help is always available to make it possible to meet your required standard, without making it an all-consuming task.

For instance, when WannaCry hit, one customer came to us exhausted after a weekend spent patching 900 servers. We brought in Tenable to scan their environment, then worked with them to create a priority list. Six months later, after working methodically through the list, they were in a far better position, and won’t have staff working all weekend to patch servers. There is a policy in place, and a set of procedures to follow that means they are better prepared and able to respond more effectively.

Whichever maturity level you are working towards, some preparation now means you are better positioned to slam the door in the face of any cyber criminal who chances their luck. Patching operating systems means you shut down some of the most commonly exploited vulnerabilities. Would-be intruders will always be around to check your defences but that’s no reason to lay down a welcome mat and allow them to make themselves at home.

Want to know more about the Essential Eight maturity levels? Check out our other blogs, or chat with the Data#3 security practice.

Essential Eight Adoption Assessment

Using the ACSC recommendations as a framework, Data#3 has built an Essential Eight Assessment to help organisations understand and improve their security posture.

The Essential Eight Assessment is a 5-day engagement, conducted by a Data#3 Information Assurance Specialist, including up to 2 days spent onsite with the customer.


This is blog 7 of a 9-part series. See earlier posts on:

1. Your guide to the ACSC’s Essential Eight Maturity Model
2. Essential Eight Maturity Model: Application Control
3. Essential Eight Maturity Model: Patch Applications
4. Essential Eight Maturity Model: Configure Microsoft Office Macro Settings
5. Essential Eight Maturity Model: User Application Hardening
6. Essential Eight Maturity Model: Restrict Administrative Privileges
7. You are here.
8. Essential Eight Maturity Model: Multi-Factor Authentication
9. Essential Eight Maturity Model: Regular Backups

1. Forrester Inc. S. Carielli. (May, 2020). The State of Application Security, 2020. [Online] Available at: https://www.forrester.com/report/The-State-Of-Application-Security-2020/RES159057 2. The Stack. (July, 2021). A record number of software vulnerability were reported in 2021. [Online] Available at: https://thestack.technology/record-cves-in-2021/