Fortnightly vulnerability scanning for non-core applications
Use a vulnerability scanner every two weeks to find missing patches in non-core applications.
Plain language
This control is about regularly checking less critical applications, which aren't part of the typical office suite, for security gaps or vulnerabilities every two weeks. It's important because if these applications aren't updated, hackers could exploit weaknesses in them to access sensitive information or disrupt operations, even though they're not as commonly targeted as core applications.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
Patch applications
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF software, and security products.
Why it matters
Without fortnightly scanning, unpatched non-core applications can harbour known vulnerabilities, enabling initial access, data theft, or disruption.
Operational notes
Run vulnerability scans at least fortnightly across all non-core applications; track findings, validate coverage, and prioritise patching by severity and exposure.
Implementation tips
- The system administrator should run vulnerability scans on all non-core applications every two weeks. Use a trusted vulnerability scanning tool to automate this process.
- The IT team should ensure the vulnerability scanner's database is kept up to date. Regularly check for database updates and apply them promptly to identify the latest threats.
- The security officer should review scan results to identify missing patches or updates. Analyse the results and prioritise patches based on the severity of vulnerabilities found.
- The IT team should document the scanning process and results. Maintain a record of scan dates, the applications scanned, and the actions taken in response to any vulnerabilities found.
Audit / evidence tips
- AskHow often are vulnerability scans conducted on non-core applications?
- GoodEvidence shows scans are conducted every two weeks, and records indicate consistent coverage of non-core applications
- AskIs the vulnerability database updated regularly?
- GoodLogs confirm the vulnerability database is updated at least within 24 hours before each scan
Cross-framework mappings
How E8-PA-ML2.1 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (3) expand_less | ||
| ISM-1693 | E8-PA-ML2.1 requires fortnightly vulnerability scanning to identify missing patches for non-core applications | |
| ISM-1699 | ISM-1699 requires weekly vulnerability scanning to identify missing patches/updates for a defined set of key end-user software (productiv... | |
| ISM-1703 | ISM-1703 requires a vulnerability scanner to be used at least fortnightly to identify missing driver patches or updates | |
| handshake Supports (2) expand_less | ||
| ISM-0298 | E8-PA-ML2.1 requires fortnightly vulnerability scanning to identify missing patches for non-core applications | |
| ISM-0304 | ISM-0304 requires that unsupported applications are removed to avoid systems running software that will not receive vendor security fixes | |
| link Related (1) expand_less | ||
| ISM-1700 | E8-PA-ML2.1 requires a vulnerability scanner be used at least fortnightly to identify missing patches or updates for vulnerabilities in n... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.