Weekly scanning for missing patches or updates in key software
Use a tool every week to check and update key software like browsers and office apps to fix security issues.
Plain language
This control is about using a special tool each week to check if important software on your computers, like web browsers and email programs, needs updating to fix security problems. It's important because outdated software can have weaknesses that cybercriminals exploit, potentially leading to data loss or other serious issues.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 May 2026
E8 maturity levels
ML1
Official control statement
A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
Why it matters
Unpatched office apps, browsers, email clients and PDF tools are common attack paths. Weekly vulnerability scans identify missing patches before exploitation.
Operational notes
Run an authenticated vulnerability scanner at least weekly across office suites, browsers/extensions, email clients, PDF and security tools; track findings to patch quickly.
Implementation tips
- IT team should choose a reliable vulnerability scanning tool. This tool should be able to identify outdated or unpatched software across all devices used in the organisation.
- The system administrator should schedule weekly scans using the chosen tool. Set up an automatic scan every week to ensure that no important software updates are missed.
- Security officer should ensure the vulnerability database used by the tool is updated frequently. This guarantees that the scanning tool recognises all current threats and vulnerabilities.
- IT team should prioritise the results of the scans. After each scan, make a list of software vulnerabilities and address the most critical ones as soon as possible.
- System administrator should maintain records of all scans conducted. Keep a log of the scan dates, the issues found, and the actions taken in response to ensure a clear audit trail.
Audit / evidence tips
- AskCan you show how you perform the weekly vulnerability scans?
- GoodThere are consistent weekly scan logs showing identified vulnerabilities and corresponding patch updates applied
- AskHow do you ensure your vulnerability scanner's database is current?
- GoodThe vulnerability database is updated daily, ensuring all newly identified threats are covered
Cross-framework mappings
How E8-PA-ML1.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.8 | E8-PA-ML1.4 requires organisations to use weekly vulnerability scanning to identify missing patches/updates for common end-user software ... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1143 | E8-PA-ML1.4 requires organisations to conduct weekly vulnerability scanning specifically to identify missing patches/updates in key softw... | |
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1163 | ISM-1163 requires a continuous monitoring plan including regular vulnerability scanning and mitigation | |
| ISM-1693 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates, but only for office suites, browsers/extensions, email clien... | |
| ISM-1700 | E8-PA-ML1.4 requires organisations to use a vulnerability scanner at least weekly to identify missing patches or updates in key end-user ... | |
| ISM-1703 | E8-PA-ML1.4 requires weekly vulnerability scanning to identify missing patches or updates for key end-user and security applications | |
| handshake Supports (8) expand_less | ||
| ISM-0298 | E8-PA-ML1.4 requires weekly vulnerability scanning to identify missing patches or updates in key software categories | |
| ISM-1467 | ISM-1467 requires organisations to ensure the latest releases of specified user applications and security products are used | |
| ISM-1634 | ISM-1634 requires system owners and authorising officers to select and tailor controls to achieve system-specific security and resilience... | |
| ISM-1691 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates in key software so remediation can be actioned | |
| ISM-1692 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates for vulnerabilities in key user applications and security pro... | |
| ISM-1704 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates for key applications and security products | |
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
| ISM-1901 | E8-PA-ML1.4 requires weekly scanning to identify missing patches or updates for vulnerabilities in key user applications and security pro... | |
| link Related (1) expand_less | ||
| ISM-1699 | E8-PA-ML1.4 requires a vulnerability scanner be used at least weekly to identify missing patches or updates for office productivity suite... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.