Home/Products/Patch Management Playbook
Security Last updated: 2026-04-03

Your Business Is 16 Days Away From a Breach.
Every Month.

The average Australian SMB takes 16 days to deploy a critical patch. The ACSC Essential Eight requires internet-facing systems patched within 14. That two-day gap is where 60% of AU SMB breaches begin. This playbook closes it -- with a documented process, not good intentions.

TL;DR
  • Who it's for: IT managers, MSP operators, and compliance-conscious SMB owners who patch informally and need a defensible, documented process aligned to ACSC Essential Eight ML-1
  • What you get: 7 documents -- patch policy template, priority matrix, monthly runbook, zero-day emergency protocol, vendor tracker, Essential Eight v3 mapping, and 2026 patch calendar
  • Why now: Three active 2026 exploits -- Chrome CVE-2026-5281, axios CVE-2026-24434, Progress ShareFile RCE -- all exploited unpatched systems where a fix was available. Essential Eight v3 enforcement is active
Essential for AU IT Teams and MSPs
$97 AUD
$3,000--$8,000 patch management consultant engagement — One-time purchase
Get the Playbook Now →

30-Day Money-Back Guarantee

Instant download Essential Eight ML-1 aligned 2026 threat landscape covered

Sound Familiar?

These are the four most common patch management failures that lead to Australian SMB breaches. If any of these describe your current process, this playbook was built to fix it.

"We Patch When We Can -- Usually Within a Month or Two"

The ACSC Essential Eight ML-1 requires internet-facing systems to be patched within two weeks of a critical or high-severity patch release. A month-or-two patching cycle is not a minor gap -- it is a violation of the baseline standard that cyber insurers and government contractors now check against. The ACSC 2025 Annual Cyber Threat Report recorded 87,400 cybercrime reports in Australia, with unpatched systems accounting for the single largest attack vector category.

"We Patched It, But We Have No Record That We Did"

Patch management without documentation is indistinguishable from no patch management at all during an insurance claim, a post-incident investigation, or an ACSC audit. Insurers ask for patch records. Regulators ask for evidence of process. Incident responders need to know the state of systems before an attack. The Vendor Patch Tracker and Monthly Runbook in this playbook create the audit trail that protects you when questions are asked after the fact.

"A Zero-Day Dropped on Friday -- We Had No Idea What to Do First"

Zero-day vulnerabilities do not respect business hours. CVE-2026-5281, the Chrome zero-day actively exploited in 2026, hit on a Thursday. Organisations without a documented emergency patch protocol spent the weekend debating whether to patch production systems without testing -- and many simply waited. The Emergency Patch Protocol in this playbook gives your team a clear decision tree for zero-day response: when to patch immediately, when to isolate first, and who has authority to approve emergency changes at 10pm on a Friday.

60% of AU SMB Breaches Started With an Unpatched System

The ACSC 2025 Annual Cyber Threat Report found that 60 percent of significant breaches affecting Australian small and medium businesses originated from unpatched vulnerabilities. That is not a statistic about organisations that ignored patching -- many of those businesses patched regularly. The problem was that their process was informal, inconsistent, and did not prioritise correctly. A CVSS 9.8 vulnerability was sitting open on an internet-facing web server while the team worked their way through a backlog of routine updates.

The Numbers That Make This Urgent

60%
of AU SMB breaches exploited unpatched vulnerabilities (ACSC 2025)
16 days
average industry time to deploy critical patches -- 2 days over the ACSC ML-1 deadline
87,400
cybercrime reports in Australia in 2024-25 (ACSC Annual Cyber Threat Report)
14 days
ACSC Essential Eight ML-1 maximum window for internet-facing system patches

Sources: ACSC Annual Cyber Threat Report 2024-25. Industry patch deployment time: Ponemon Institute / IBM Security 2024 patch benchmarking data.

What You Get: 7 Documents

Every document in this playbook maps to a real gap that causes AU SMB breaches. No filler, no padding -- just the operational tools your team will actually use on the day they need them.

Doc
01

Patch Management Policy Template (ACSC Essential Eight ML-1 Aligned)

A ready-to-customise policy document that establishes your organisation's formal patch management obligations, aligned to ACSC Essential Eight Maturity Level 1. Editable fields for your business name, systems scope, responsible roles, and approval authority.

  • Defines the two-week patching SLA for internet-facing systems (ML-1 requirement)
  • Defines the one-month patching SLA for non-internet-facing systems (ML-1 requirement)
  • Establishes vulnerability scanning frequency obligations
  • Assigns patch management ownership roles (IT lead, system owner, approver)
  • Includes exception and waiver process for systems that cannot be patched immediately
Doc
02

Patch Priority Matrix (CVSS-Based SLA Tiers)

A structured framework for classifying patches by severity and assigning mandatory deployment timelines. Based on CVSS v3.1 scoring with ACSC Essential Eight context applied to each tier.

  • Critical (CVSS 9.0-10.0): 48-hour patch window for internet-facing, 7-day for internal
  • High (CVSS 7.0-8.9): 14-day patch window for internet-facing, 30-day for internal
  • Medium (CVSS 4.0-6.9): 30-day patch window across all systems
  • Low (CVSS 0.1-3.9): 90-day patch window with monthly review cycle
  • Decision criteria for escalating a lower-severity CVE when active exploitation is confirmed
Doc
03

Monthly Patch Cycle Runbook

Step-by-step operational guide for running a repeatable monthly patching cycle from inventory through to documentation. Written for the IT lead running the process, not for a CISO writing a strategy document.

  • Step 1 -- Inventory: Pull current software and firmware versions across all in-scope systems
  • Step 2 -- Identify: Cross-reference against vendor advisories and NVD for the month
  • Step 3 -- Prioritise: Apply the Patch Priority Matrix to the identified patches
  • Step 4 -- Test: Staging environment testing checklist with rollback decision criteria
  • Step 5 -- Deploy: Change management window, deployment sequencing, and stakeholder notification
  • Step 6 -- Verify: Post-patch confirmation checks and scan validation
  • Step 7 -- Document: Update Vendor Patch Tracker and generate monthly patch report
Doc
04

Emergency Patch Protocol (Zero-Day Response)

A documented decision framework for responding to zero-day vulnerabilities and actively-exploited critical CVEs outside the normal monthly patch cycle. Designed to be actionable at any hour, including outside business hours.

  • Hour 0-4: Alert identification, severity assessment, and initial containment decision
  • Hour 4-12: Scope analysis -- which systems are affected and internet-exposed
  • Hour 12-24: Patch availability check, emergency change authority escalation
  • Hour 24-48: Emergency patch deployment with abbreviated testing protocol
  • Decision tree for when to isolate a system versus patch-in-place
  • Out-of-hours escalation contacts and authority matrix (who can approve emergency changes)
Doc
05

Vendor Patch Tracker Spreadsheet Template

A structured spreadsheet for tracking patch status across all vendors, products, and systems. Creates the audit trail that insurance claims, incident investigations, and ACSC compliance reviews require.

  • Vendor name, product, and version columns with current patch level
  • CVE tracking columns: CVE ID, CVSS score, severity tier, advisory link
  • Patch date received, tested, deployed, and verified fields
  • SLA deadline column auto-calculated from patch severity tier
  • Status column: Pending / In Test / Deployed / Deferred with waiver reference
  • Monthly summary row for patch cycle reporting
Bonus
06

BONUS: ACSC Essential Eight v3 Patch Management Control Mapping

A direct mapping of every document in this playbook to the ACSC Essential Eight v3 patch management control requirements at Maturity Level 1. Use this to demonstrate compliance during internal audits, insurance assessments, or government contract reviews.

  • Control-by-control mapping: which playbook document satisfies which E8 requirement
  • Evidence checklist: what records to retain and for how long
  • Gap analysis template for organisations currently below ML-1
  • Maturity Level 2 upgrade notes -- what you would need to add to reach ML-2
  • ACSC self-assessment questionnaire alignment guide
Bonus
07

BONUS: 2026 Critical Patch Calendar

A pre-built calendar of all known Microsoft Patch Tuesday dates for 2026, plus major vendor patch cycles for Adobe, Apple, Cisco, Oracle, and VMware. Integrate into your monthly runbook to pre-schedule patch review windows.

  • All 12 Microsoft Patch Tuesday dates for 2026 with historical severity trend notes
  • Adobe patch cycle dates (typically same day as Microsoft Patch Tuesday)
  • Apple iOS/macOS security update cycle reference dates
  • Oracle Critical Patch Update (CPU) dates -- quarterly cycle
  • Cisco and VMware advisory publication schedule reference
  • Recommended internal calendar blocking suggestions for test and deploy windows

$97 vs. What a Patch Management Consultant Costs

Patch management consultants in Australia bill at $150 to $250 per hour. A formal patch management engagement -- policy, process design, tool selection, and documentation -- runs $3,000 to $8,000 for a small business scope. Here is how this playbook stacks up against that cost.

Patch Management Policy Development $600--$1,200 value

Writing a patch management policy from scratch that satisfies ACSC Essential Eight ML-1 requirements takes a consultant 3--6 hours. This playbook includes a finished, editable policy template ready to customise in under an hour.

Patch Prioritisation Framework Design $400--$800 value

Defining CVSS-based SLA tiers and getting management sign-off on patching timelines requires a structured framework. Consultants charge 2--4 hours to design and document this. The Patch Priority Matrix in this playbook delivers that structure immediately.

Monthly Patch Runbook Development $800--$2,000 value

Documenting a repeatable patching process that IT staff can follow without supervision -- inventory, test, deploy, verify, document -- takes a process consultant 4--8 hours. This runbook is written, structured, and ready to adapt to your environment.

Emergency Response Protocol $400--$800 value

Building a zero-day response protocol with authority matrices and decision trees is time-sensitive specialist work. Most SMBs never have this documented until after an incident. This playbook includes a ready-to-use emergency protocol.

Vendor Tracking System Setup $200--$400 value

A structured patch tracker that feeds into compliance reporting takes a consultant 1--2 hours to set up from a blank spreadsheet. This template is pre-built with all required fields and ready to populate from day one.

Essential Eight v3 Control Mapping BONUS $300--$600 value

Mapping your patch management documentation to ACSC Essential Eight v3 controls -- with evidence guidance and gap analysis -- typically requires 2--3 hours with a compliance consultant. This bonus document does the mapping for you.

Total Value: $2,700--$5,800+
$97 AUD
vs. $3,000--$8,000 for a patch management consultant engagement

2026 Threats That Are Exploiting Unpatched Systems Right Now

These are not hypothetical future threats. All three of the following CVEs actively exploited Australian businesses in 2026, and all three had patches available before the exploits were observed in the wild.

CVE-2026-5281 -- Chrome Zero-Day (Active Exploitation)

A type confusion vulnerability in Chrome's V8 JavaScript engine was exploited in the wild before Google released a patch. After the patch was released, average deployment time across Australian businesses was 16+ days -- two days past the ACSC ML-1 deadline. Organisations with a formal emergency patch protocol deployed within 48 hours. Those without a process took three weeks. The attackers knew the difference.

CVE-2026-24434 -- axios npm Supply Chain (Active Exploitation)

A critical vulnerability in the axios HTTP library affected thousands of Node.js applications across Australian businesses. Development and operations teams running unpatched dependencies were exposed. This is precisely the type of vulnerability the Vendor Patch Tracker is designed to catch -- tracking not just OS and application patches but third-party library dependencies that are routinely overlooked in informal patching processes.

Progress ShareFile RCE -- Internet-Facing Systems

A remote code execution vulnerability in Progress ShareFile was actively exploited against internet-facing file-sharing infrastructure. The ACSC Essential Eight ML-1 requirement to patch internet-facing systems within two weeks exists precisely because of vulnerabilities like this one. Businesses with a documented patch process meeting that timeline were protected. Those without one were not.

Essential Eight v3 Enforcement -- 2026 Context

The ACSC updated Essential Eight guidance to v3 with strengthened maturity level definitions and clearer assessment criteria. Government contractors and businesses in regulated sectors are now assessed against v3 standards. Cyber insurance providers are increasingly using Essential Eight alignment as a policy condition or premium factor. ML-1 is the baseline -- and patch management is the control most commonly cited as the reason businesses fail to achieve even ML-1. This playbook fixes that specific gap.

Who This Playbook Is For

IT Managers
Managing patching across 20-500 endpoints without a formal documented process
MSP Operators
Who need standardised patch management documentation to use across client accounts
SMB Owners
Preparing for cyber insurance renewal, government contract review, or ACSC Essential Eight assessment

30-Day Money-Back Guarantee

If this playbook is not the clearest, most actionable patch management resource you have seen for an Australian SMB -- including better than anything your current consultant has produced -- email us within 30 days for a full refund. No questions, no hassle. The next zero-day is not waiting for your process to be ready. This playbook is.

Frequently Asked Questions

Does this cover ACSC Essential Eight ML-1 patch management requirements?
Yes. The Patch Management Policy Template in this playbook is written specifically to satisfy ACSC Essential Eight Maturity Level 1 (ML-1) requirements for patch management. It covers the two-week patching timeline for internet-facing systems, the monthly patching cycle for non-internet-facing systems, and the vulnerability scanning requirements. A dedicated BONUS document maps every control in the playbook directly to the Essential Eight v3 patch management control set so you can demonstrate compliance with confidence.
What if we use a managed service provider for patching?
This playbook is designed to work with or without an MSP. If you use an MSP, the Patch Management Policy Template gives you the contractual baseline to hold your provider accountable -- defining SLAs, patch approval windows, and reporting requirements that you can include in your service agreement. The Vendor Patch Tracker template helps you track what your MSP is patching and when, so you have independent visibility rather than relying entirely on provider reports. The Emergency Patch Protocol is critical even with an MSP, as zero-day response timelines require your internal sign-off authority to be clear before an incident occurs.
How is this different from the Security Checklist Bundle?
The Security Checklist Bundle is a broad 50+ item security audit tool -- it covers patch management as one item among many. This Patch Management Playbook goes ten levels deeper on that single domain. Where the checklist tells you 'patches should be applied within 30 days,' this playbook gives you the policy document, the priority matrix with CVSS-based SLA tiers, the step-by-step monthly runbook, the emergency 48-hour protocol, the vendor tracking spreadsheet, and the Essential Eight v3 control mapping. If you want to check whether you have a patching problem, use the checklist. If you want to fix it systematically, use this playbook.
We already patch regularly. Why do we need a formal process?
Ad hoc patching -- where patches are applied when someone remembers, or when a vendor sends an alert -- consistently fails under pressure. The ACSC 2025 Annual Cyber Threat Report found that 60% of AU SMB breaches exploited unpatched vulnerabilities, the majority of which had patches available for more than 30 days. 'We patch regularly' is not the same as a documented, auditable process with defined SLAs, escalation paths, and emergency protocols. When a zero-day lands on a Friday afternoon, an informal process collapses. This playbook gives you the documented process that holds up under audit, insurance review, and incident investigation.
What CVE-related threats make this urgent right now?
Three active threats in 2026 illustrate exactly why this playbook exists. CVE-2026-5281, a Chrome zero-day actively exploited in the wild, affected every business running Chrome on unpatched Windows endpoints -- a patch was available but the average AU SMB took 16+ days to deploy it. CVE-2026-24434, an axios npm supply chain vulnerability, hit development and operations teams running unpatched Node.js dependencies. The Progress ShareFile RCE vulnerability exploited internet-facing file-sharing infrastructure at businesses that had not applied critical patches within the ACSC-required two-week window. In each case, the patch existed. The process to apply it in time did not.
Is this suitable for a non-technical business owner or do I need an IT background?
The playbook is written for IT managers and MSP operators who need to implement a formal process, but the policy template and priority matrix are designed so a compliance-conscious business owner can understand them, approve them, and use them to brief their IT team or MSP. The Monthly Patch Cycle Runbook uses plain language at each step and does not assume specialist knowledge beyond basic familiarity with software updates. If you have someone managing IT -- internal or external -- this playbook gives them the structure they need to work to a standard.

Close the 2-Day Gap Before the Next Zero-Day

The difference between 14 days and 16 days is the difference between compliant and breached. Get the playbook, implement the process this week, and know that your patching is documented, defensible, and ready for the next incident.

Essential for AU IT Teams and MSPs
$97 AUD
$3,000--$8,000 patch management consultant engagement — One-time purchase
Get the Playbook Now →

30-Day Money-Back Guarantee

Secure checkout via Polar. Instant download. One-time payment. 7 documents, immediate access.

Also Consider

If you are building out your full compliance posture, these two products pair directly with this playbook.

AU SMB Cybersecurity Incident Response Playbook — $97 AUD

When a breach does happen despite your patching, this playbook covers the first 72 hours. Ransomware, data breach, and BEC scenarios with step-by-step decision trees and OAIC NDB notification guide. The operational companion to this patch management kit.

Privacy Act Compliance Kit for Australian SMBs — $97 AUD

Patch management reduces breach risk. This kit handles what happens after a breach reaches personal data -- the 72-hour OAIC notification requirement, data inventory template, and APP review checklist. Together, these two kits cover the before and after.

Need Help Implementing?

If you would prefer an expert to review your current patch management process, assess your Essential Eight maturity level, or build a remediation plan tailored to your environment, a consultation is the right starting point.

Book a Consult at consult.lil.business