Automated bi-weekly asset discovery for vulnerability scanning
Use an automated tool to find all system assets every two weeks for security checks.
Plain language
This control means using a tool to automatically find all the devices, computers, and other tech assets your organisation has every two weeks. It matters because it ensures that anything with a security vulnerability can be identified and fixed before harmful attacks happen. Without this control, unknown devices could have vulnerabilities that attackers might exploit to steal information or disrupt operations.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
Why it matters
Without fortnightly asset discovery, unmanaged devices can remain unseen and unscanned, leaving exploitable unpatched vulnerabilities on the network.
Operational notes
Schedule automated discovery at least fortnightly; reconcile results to the asset register and ensure newly found devices are added to vulnerability scanning targets.
Implementation tips
- The IT team should choose an automated asset discovery tool that is suited to the organisation's infrastructure by evaluating tools that can scan networks and list all connected devices.
- A system administrator should configure the chosen tool to perform scans every two weeks by setting up a regular schedule within the tool's settings.
- The IT manager should ensure the tool is running correctly and reviewing reports by checking completed scan logs and verifying that all expected systems are identified.
- The security officer should establish a process for reviewing and investigating any unknown assets found by the scan by including this task in the regular IT security meetings.
Audit / evidence tips
-
AskCan you show me how you discover new assets connected to your network?
-
GoodThe tool should show scans taking place every two weeks, with up-to-date records of all assets identified
-
AskWhat happens if an unknown asset is found?
-
GoodA documented process outlines steps to investigate unknown assets, and logs show recent investigations have occurred
Cross-framework mappings
How E8-PO-ML1.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1163 | E8-PO-ML1.1 requires automated fortnightly asset discovery to ensure assets are identified for vulnerability scanning | |
| handshake Supports (6) expand_less | ||
| ISM-0336 | E8-PO-ML1.1 requires automated fortnightly asset discovery to ensure vulnerability scanning can find all relevant assets | |
| ISM-1493 | E8-PO-ML1.1 focuses on discovering assets automatically at least fortnightly to enable effective vulnerability scanning coverage | |
| ISM-1643 | E8-PO-ML1.1 requires fortnightly automated asset discovery to ensure assets are found for later vulnerability scanning | |
| ISM-1697 | ISM-1697 requires applying non-critical driver patches within one month when no working exploits exist | |
| ISM-1703 | ISM-1703 requires a vulnerability scanner be used at least fortnightly to identify missing driver patches or updates | |
| ISM-1966 | ISM-1966 requires the CISO to maintain and regularly verify a register of organisational systems | |
| extension Depends on (2) expand_less | ||
| ISM-1696 | ISM-1696 requires critical OS patches to be applied within 48 hours for workstations and non-internet-facing servers and network devices ... | |
| ISM-1700 | ISM-1700 requires fortnightly vulnerability scanning to identify missing patches/updates for non-core applications | |
| link Related (1) expand_less | ||
| ISM-1807 | E8-PO-ML1.1 requires an automated method of asset discovery to be run at least fortnightly so assets can be identified for subsequent vul... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.