What's the difference between this and OS patching?

OS patching is Windows, macOS and Linux themselves. Application patching is everything you install on top: browsers, Adobe, Office, Teams, third-party line-of-business software. Attackers target whichever is stale; you need both.

What about line-of-business software that can't be patched?

That software has entered a risk conversation with a clock on it. Either the vendor will patch (and we wait), or the vendor has abandoned it (and it needs replacing or isolating). We'll help you have the vendor conversation or scope a replacement. Leaving unpatched software on the network indefinitely isn't a valid answer under ML1 or above.

Will my staff get constant reboot prompts?

No. Reboots are scheduled inside your Maintenance Window with 2 to 4 hours' notice. Critical-only exploitations can trigger an out-of-band patch with shorter notice, but that's rare and we tell you beforehand.

How do you know what's installed on every device?

Intune inventory plus our RMM agent give us a live software inventory across every managed device. A new application installed anywhere in the fleet shows up in our next sweep. You get the inventory report as part of your quarterly review.

Essential Eight · Control 02 of 08

Patch applications

Keeping your software up to date so it has the latest security fixes.

Why this control matters

Most cyberattacks exploit known vulnerabilities in software. The patches have usually been available for months. The attackers aren't clever; the defenders are slow. Fast, consistent application patching removes the easiest path into your environment.

The three maturity levels

Patch applications at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

Internet-facing services are patched for critical vulnerabilities within 2 weeks (or 48 hours if an exploit exists). Office productivity suites, web browsers, email clients, PDF software, and security products are patched within 1 month.

ML2 Regulated or under audit

Patches for internet-facing services with known exploits are applied within 48 hours. Office productivity suites and similar are patched within 2 weeks.

ML3 Defence or sensitive

All software patches are applied within 48 hours of release when an exploit exists. Applications no longer supported by vendors are removed.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements patch applications for clients.

We maintain a patch cadence governed by your agreed Maintenance Window. Internet-facing services get a 48 hour SLA when an exploit is known in the wild. Office productivity and browsers sit on a monthly cadence against ACSC minimums. Patches that cause breakage are rolled back automatically and investigated the same day. We don't leave a vulnerable version running 'pending review'.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about patch applications.

What's the difference between this and OS patching?: OS patching is Windows, macOS and Linux themselves. Application patching is everything you install on top: browsers, Adobe, Office, Teams, third-party line-of-business software. Attackers target whichever is stale; you need both.
What about line-of-business software that can't be patched?: That software has entered a risk conversation with a clock on it. Either the vendor will patch (and we wait), or the vendor has abandoned it (and it needs replacing or isolating). We'll help you have the vendor conversation or scope a replacement. Leaving unpatched software on the network indefinitely isn't a valid answer under ML1 or above.
Will my staff get constant reboot prompts?: No. Reboots are scheduled inside your Maintenance Window with 2 to 4 hours' notice. Critical-only exploitations can trigger an out-of-band patch with shorter notice, but that's rare and we tell you beforehand.
How do you know what's installed on every device?: Intune inventory plus our RMM agent give us a live software inventory across every managed device. A new application installed anywhere in the fleet shows up in our next sweep. You get the inventory report as part of your quarterly review.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 06

Patch operating systems

Keeping Windows, macOS, Linux and your server operating systems up to date.

Read the control

Control 01

Application control

Only letting approved programs run on your computers. Everything else is blocked by default.

Read the control

Control 04

User application hardening

Turning off features in web browsers and Office that attackers commonly abuse.

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.