Up-to-date vulnerability scanner used for scanning activities
Use a current vulnerability scanner to check for security issues in your apps.
Plain language
This control is about using a vulnerability scanner that is always up-to-date to check for security weaknesses in your applications. Keeping the scanner updated is important because it helps you find and fix problems before hackers can exploit them.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
Why it matters
If the scanner’s vulnerability database is out of date, known CVEs may not be detected, leaving exploitable weaknesses unremediated.
Operational notes
Keep scanner engines and vulnerability feeds current; run scheduled authenticated scans and triage findings quickly to drive timely remediation.
Implementation tips
- IT team should ensure the vulnerability scanner is updated daily by scheduling automatic updates or checking manually.
- System administrator should configure the vulnerability scanner to run scans at least weekly to detect any weaknesses in software and applications.
- Security officer should review scan reports to ensure identified vulnerabilities are addressed in a timely manner.
- IT team should document and follow a clear process for updating the scanner’s vulnerability database, including roles, schedule, and steps involved.
Audit / evidence tips
- AskWhen was the last time the vulnerability database was updated?
- GoodThe logs show that the database was updated within the last 24 hours
- AskHow often are vulnerability scans conducted?
- GoodScans are conducted at least weekly, as shown by recent reports
Cross-framework mappings
How E8-PA-ML1.2 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML1.2 requires using a vulnerability scanner with an up-to-date vulnerability database for scanning activities | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (6) expand_less | ||
| ISM-1163 | E8-PA-ML1.2 requires use of a vulnerability scanner with an up-to-date vulnerability database for scanning activities | |
| ISM-1698 | E8-PA-ML1.2 requires that vulnerability scanning activities use a vulnerability scanner with an up-to-date vulnerability database | |
| ISM-1699 | E8-PA-ML1.2 requires use of a vulnerability scanner with an up-to-date vulnerability database for scanning activities | |
| ISM-1700 | E8-PA-ML1.2 requires that vulnerability scanning uses a scanner with an up-to-date vulnerability database | |
| ISM-1701 | E8-PA-ML1.2 requires vulnerability scanning activities to be performed with a scanner that has an up-to-date vulnerability database | |
| ISM-1703 | E8-PA-ML1.2 requires that vulnerability scanning activities use a scanner with an up-to-date vulnerability database | |
| handshake Supports (4) expand_less | ||
| ISM-0402 | E8-PA-ML1.2 requires that organisations use a vulnerability scanner with an up-to-date vulnerability database for vulnerability scanning ... | |
| ISM-1634 | ISM-1634 requires system owners and authorising officers to choose and tailor an appropriate set of controls to meet desired security and... | |
| ISM-1693 | ISM-1693 requires patches and vendor mitigations for non-core applications to be applied within one month of release | |
| ISM-1697 | ISM-1697 requires organisations to apply non-critical driver patches within one month under defined exploitability conditions | |
| link Related (1) expand_less | ||
| ISM-1808 | E8-PA-ML1.2 requires that vulnerability scanning activities use a vulnerability scanner with an up-to-date vulnerability database | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.