Essential Eight Maturity Level 1 is the Australian government’s cyber security baseline for SMBs. In this guide, we’ll explain how to meet the second Essential Eight strategy, ‘Patch operating systems’ – including the exact steps your IT provider should be taking to keep your business safe.
This article is part of a series on implementing the Essential Eight to Maturity Level 1. Read other articles in the series here.
Automated Asset Discovery
Control:
- An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
Your IT environment is bigger than the computers your staff work on. Mobile phones, servers, and IoT devices are all endpoints that can access the internet, which means they’re targets for cyber security attacks.
Unfortunately, you can’t defend what you can’t see – and many organisations aren’t fully aware of the assets that comprise their IT environment. That’s why Maturity Level 1 mandates automated asset discovery. Your IT provider will normally use a dedicated asset discovery tool like Lansweeper to find all devices connected to your network, which will then build out a live asset inventory.
Make sure your provider uses a discovery method that identifies both on- and off-network devices. A laptop that’s disconnected from Wi-Fi and ethernet, for example, won’t necessarily be ‘found’ by a basic scanner; you’ll need to have an agent – a semi-autonomous software component – installed on the laptop. That agent will then capture data and pass it to the asset discovery tool whenever it’s reconnected to the internet.
Most good discovery tools will provide both active and passive discovery options. Passive discovery involves constantly ‘listening’ to network traffic to detect any devices that join the network – it’s a great way to detect the kind of unauthorised assets mentioned in the Essential Eight assessment guide.
Active discovery is deeper and more robust, but also more resource-intensive. Your IT provider should run an active scan at least once a fortnight to detect software versions and patch levels in line with Maturity Level 1.
Automated Vulnerability Scanning
Controls:
- A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.
- A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.
Once your IT provider has compiled an asset inventory with software versions and patch levels, they can scan that inventory to find vulnerabilities.
Tools like Nessus and Action1 essentially cross-check the detected version and patch level against a database of known vulnerabilities, like CVE (US) and EUVD (Europe). When vulnerabilities are detected, they’ll be prioritised by their severity score (CVSS), which allows your IT provider to tackle them in a systematic way.
CVSS isn’t the only prioritisation criterion. Your IT provider will probably have a bespoke formula that assesses total risk based on factors like:
- the number of affected assets
- the criticality of affected assets
- risk of exploitation based on in-place controls
- possible impact based on in-place controls
- whether the vulnerability is a ‘known exploit’ (that is, whether it has been used to successfully execute an attack in another environment).
Keep in mind that those scans will need to be run daily for all internet-connected devices and fortnightly for all non-internet-connected devices to be Maturity Level 1-compliant. Because the Essential Eight assessment criteria require evidence of ‘previous vulnerability scans’, it’s a good idea to have your IT provider retain scan logs for, at minimum, the past 90 days.
Patching and Updating
Controls:
- Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within 48 hours of release when vulnerabilities are assessed as critical by vendors or when working exploits exist.
- Patches, updates or other vendor mitigations for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices are applied within two weeks of release when vulnerabilities are assessed as non-critical by vendors and no working exploits exist.
- Patches, updates or other vendor mitigations for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices are applied within one month of release.
Your IT provider can’t automatically fix a vulnerability they detect. They’ll need to wait before the operating system vendor releases a patch. Patches are exactly what they sound like – software updates that are designed to fix bugs and vulnerabilities.
The controls for Maturity Level 1 are dependent on the date of patch release, not vulnerability detection. That means your IT provider needs to detect when patches are available, then compare any new releases against previously discovered operating system vulnerabilities.
The majority of vulnerability management tools – Nessus, Action1, and similar – support automated patch detection, which makes compliance much, much easier. All your provider needs to do is configure the rollout settings correctly, schedule deployment at appropriate times, and keep an eye on success rates.
They might, for example, enable automatic rollout of all critical OS patches with staged deployments. As soon as a patch is available, it will be deployed in progressively larger batches of endpoints. If there are any issues with a batch, the rollout stops. That ensures you stay compliant with Maturity Level 1 – without exposing your whole environment to a potentially buggy update.
Unsupported Operating System Removal
Control: Operating systems that are no longer supported by vendors are replaced.
Like everything in your IT environment, operating systems have lifecycles. They’re released, they exist for a time (supported by regular vendor updates), and then they reach end of life. At that point, the vendor stops releasing updates and patches. The operating system becomes ‘unsupported’ – it still works, but, as the tech environment it exists in evolves, it will gradually run less and less effectively. (Any vulnerabilities that emerge will also be fair game for adversaries.)
To meet Maturity Level 1, you need to replace unsupported operating systems. Windows 10 is the most obvious example. It reached end of life on 14 October 2025 and was succeeded by Windows 11.
Your IT provider should have already rolled out Windows 11 via Microsoft Intune. If they haven’t, find out why. Sometimes, the cause can be as simple as devices evading update rings. In other cases, devices might not be physically capable of running Windows 11 – in which case, finding budget to replace those devices is critical.
Need help reaching Essential Eight Maturity Level 1? We work with Australian SMBs to strengthen their security postures – without affecting business productivity.
More Essential Eight Implementation Guides
Read other articles in our series on reaching Essential Eight Maturity Level 1.
