Patching appears twice in the Essential Eight: as control 2 (patching applications) and control 5 (patching operating systems). They have similar objectives but different implementation priorities, and the maturity level requirements for each are specific.
The Maturity Level Requirements
At Maturity Level One: extreme-risk vulnerabilities patched within 48 hours, high-risk within one month, internet-facing applications patched within two weeks. At Maturity Level Two: the same timeframes apply across all systems — not just internet-facing. At Maturity Level Three: assets must be inventoried and assessed against the latest vulnerability intelligence, with automated scanning and patch management.
Internet-Facing Systems First
The patching priority hierarchy starts with internet-facing systems. A web server, VPN appliance, or email gateway with an unpatched critical vulnerability is accessible to every attacker with internet access. These systems must be patched within 48 hours for extreme-risk vulnerabilities — which in practice means patch management for these systems needs to be near-automated.
The Asset Register Requirement
You cannot patch what you do not know you have. An asset register — a documented inventory of every device, operating system version, and significant application in the environment — is a prerequisite for a credible patching program. Without it, there is no systematic way to confirm that patches have been applied across the entire environment.
Tooling Choices
For Microsoft environments, Windows Server Update Services (WSUS), Microsoft Intune, or a commercial patch management platform can automate patch distribution and provide compliance reporting. Intune is included in Microsoft 365 Business Premium and is the natural choice for businesses already on that platform.
What happens to systems that cannot be patched — legacy software, custom applications?
Legacy systems that cannot be patched require compensating controls: network isolation, application control, enhanced monitoring. They should be documented in a risk register with a plan for replacement or remediation. Unpatched legacy systems in production environments are a known risk that needs to be owned by someone in the organisation.
