Automated asset discovery at least fortnightly
Use automated tools every two weeks to find all devices for security checks.
Plain language
This control is about making sure you have a good handle on all the computers and devices within your business by automatically finding them every two weeks. It's important because missing even one device means it could have vulnerabilities that hackers can exploit. Regularly knowing all your assets helps you ensure they are secure and up to date.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
Why it matters
Without fortnightly automated asset discovery, unknown or unmanaged devices can miss vulnerability scanning, leaving exploitable entry points in the environment.
Operational notes
Schedule automated discovery at least every fortnight; compare findings to the asset register and investigate new, missing or rogue devices so they are included in vulnerability scanning.
Implementation tips
- IT Team: Set up an automated tool to regularly scan your network for all connected devices every two weeks. Choose a tool that meets your needs and follow the guide provided to configure regular scans.
- System Administrator: Maintain a list of all detected devices from each scan. Ensure the list is current and audit it at least every fortnight to detect new or unauthorised devices.
- Security Officer: Align asset discovery scans with your vulnerability scans. This might involve scheduling both tasks to occur at the same time to streamline monitoring efforts.
- IT Manager: Evaluate and choose a reliable asset discovery tool or software that can be integrated with your existing systems to ensure there are no gaps in device detection.
Audit / evidence tips
-
AskHow do you discover all the assets in your organisation?
-
GoodThe organisation uses an automated tool to scan for assets every fortnight. They maintain detailed records of all devices, and the reports are regularly updated and include all asset types, such as workstations and printers
Cross-framework mappings
How E8-PA-ML1.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML1.1 requires fortnightly automated asset discovery to identify assets for follow-on vulnerability scanning | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-0336 | E8-PA-ML1.1 requires an automated method of asset discovery at least fortnightly to identify assets for subsequent vulnerability scanning | |
| handshake Supports (6) expand_less | ||
| ISM-1163 | E8-PA-ML1.1 requires fortnightly automated asset discovery so an organisation can detect assets that need to be included in vulnerability... | |
| ISM-1697 | ISM-1697 requires organisations to patch non-critical driver vulnerabilities within one month when no working exploits exist | |
| ISM-1702 | E8-PA-ML1.1 requires automated asset discovery at least fortnightly so organisations can detect what assets exist for follow-on vulnerabi... | |
| ISM-1703 | E8-PA-ML1.1 requires running automated asset discovery at least fortnightly to identify assets that should be included in vulnerability s... | |
| ISM-1752 | E8-PA-ML1.1 requires automated asset discovery at least fortnightly to support detection of assets for later vulnerability scanning | |
| ISM-1966 | ISM-1966 requires the CISO to maintain and regularly verify a register of organisational systems | |
| link Related (1) expand_less | ||
| ISM-1807 | E8-PA-ML1.1 requires an automated method of asset discovery to be run at least fortnightly to detect assets for subsequent vulnerability ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.