ACSC Essential Eight, Patch Operating Systems

Welcome back to our discussion on the Australian Cyber Security Centre (ACSC) Essential Eight series, where we help decode the ACSC Essential Eight risk mitigation strategies, designed to help businesses proactively protect themselves from ever-evolving threats. So far, we have deep-dived into the first five strategies: Application Control, Patch Applications, Configure Microsoft Office Macro Settings, User Application Hardening, and Restrict Administrative Privileges. 

In this blog, we are covering the next strategypatch operating systems, which continues the focus on limiting the extent of a potential cybersecurity incident. There are similarities here with the patch application strategy, such as policies on patching frequency, vulnerability scanning, and only using supported operating systems. To protect this environment, we must maintain currency with supported operating systems and keep them updated with current updates or security patches. 

Recap: What is the ACSC Essential Eight 

Before diving into patching operating systems, we should quickly revisit the purpose of the Essential Eight. Established by the Australian Signals Directorate in 2017 and revised in 2021, the ACSC Essential Eight is a set of mitigation strategies designed to harden, protect, and defend IT infrastructure. 

As you build your security posture, you can also build on the foundations of the Essential Eight by adding additional layers of security. You can refer to the ACSC Strategies to Mitigate Cybersecurity Incidents and the ACSC Information Security Manual (ISM) for information on other strategies. 

Why patch operating systems 

An operating system is a common component that controls the computer's hardware, software, and services, making it an attractive target for attackers. Ignoring known vulnerabilities leaves your computer open to compromise and can expose businesses and users to unacceptable risk. 

The three maturity levels of patching operating systems 

The ACSC Essential Eight has three targeted maturity levels based on risk profiles. To determine your clients’ maturity level requirements, you will need to identify their risk profiles.  


Patching operating systems and the Information Security Manual (ISM) 

As you continue to build out the security posture for your clients and yourself, you will likely be looking beyond the Essential Eight for a broader security framework like the ACSC Information Security Manual (ISM). 

The following mapping of the Essential Eight to the ISM framework will assist in building clarity. This will also make it easier to map to other cybersecurity frameworks. 



An operating system provides services to applications and access to hardware, and is essential for a computer to function. As its ubiquitous nature and complexity make it an ideal target for attackers, it’s important to implement a sound strategy when managing your operating system’s currency. Through consistent patching and ensuring only supported operating systems are used, you can significantly reduce the attack vectors available to a threat actor. This hardening will make your environment more secure.  

A key theme of the ACSC Essential Eight is the time taken to patch, addressing issues surrounding threat actors who have become adept at attacking new vulnerabilities as soon as they are released. As your patching strategy evolves, you will need to take this into account and patch quickly. 

The ACSC Essential Eight provides practical, staged guidance on operating system patching that can be scaled based on the risk profile of the organisation. This guidance will strengthen your ability to limit the extent of a cyber security incident by reducing the available attack surface of the operating system.