Daily vulnerability scanning for missing patches in online services
Use a daily scanner to find missing security updates for online services.
Plain language
This control is about checking every day if our online services need important updates or patches. It's like running a daily check-up on your car to make sure it's safe to drive. Without these checks, our online services could become vulnerable to cyber attacks that exploit outdated software.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.
Why it matters
Without daily vulnerability scans of online services, missing patches can go unnoticed and be rapidly exploited, increasing compromise risk.
Operational notes
Review daily vulnerability scan results for internet-facing services, triage missing patches, and track remediation to closure within agreed timeframes.
Implementation tips
- The IT team should set up a daily schedule for using a vulnerability scanner on all online services to check for missing updates.
- The system administrator should choose a vulnerability scanner with an up-to-date database to ensure the scanner is aware of the latest threats.
- The security officer should ensure the scanner runs automatically at a set time each day and review the results to identify any critical updates needed.
- The IT team should configure the scanner to send automated reports or alerts to responsible team members when missing patches are detected.
- The system administrator should regularly check and update the vulnerability scanner itself to make sure it works with the latest threat intelligence.
Audit / evidence tips
-
AskHow often is the vulnerability scanner run for online services?
-
GoodLogs show daily scans with timestamps indicating recent activities
-
AskIs the vulnerability database of the scanner being updated regularly?
-
GoodThe logs indicate that updates are applied within the last 24 hours before each scan
Cross-framework mappings
How E8-PA-ML1.3 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML1.3 requires a specific operational practice: using a vulnerability scanner at least daily to identify missing patches or updates... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1701 | E8-PA-ML1.3 requires daily vulnerability scanning to identify missing patches or updates for vulnerabilities in online services | |
| handshake Supports (2) expand_less | ||
| ISM-0298 | E8-PA-ML1.3 requires daily scanning to identify missing patches or updates for vulnerabilities in online services | |
| ISM-1143 | E8-PA-ML1.3 requires daily vulnerability scanning to identify missing patches or updates for vulnerabilities in online services | |
| extension Depends on (1) expand_less | ||
| ISM-1808 | E8-PA-ML1.3 requires daily vulnerability scanning to identify missing patches or updates for vulnerabilities in online services | |
| link Related (1) expand_less | ||
| ISM-1698 | E8-PA-ML1.3 requires a vulnerability scanner to be used at least daily to identify missing patches or updates for vulnerabilities in onli... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.