Use a daily vulnerability scanner for internet-facing systems
Use a tool every day to find and fix missing updates on servers and network devices facing the internet.
Plain language
This control means using a tool every day to check your internet-facing systems, like websites and email servers, for any updates that are missing. This matters because if you don't keep these systems updated, hackers can find weaknesses and exploit them, putting your organisation at risk.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.
Why it matters
Ignoring daily scans on internet-facing systems can leave exploitable vulnerabilities unpatched, giving attackers an easy entry point soon after new flaws or updates are disclosed.
Operational notes
Schedule daily scans for all internet-facing servers and network devices, validate scan completion, and triage findings quickly to prioritise patching of critical OS vulnerabilities.
Implementation tips
- IT team: Schedule a daily routine to run a vulnerability scanner on all internet-facing systems. Use tools like Nessus or Qualys to perform the scans effortlessly.
- System administrator: Ensure the vulnerability scanner software is always up-to-date. Set it to automatically download the latest vulnerability database updates.
- Security officer: Review the daily scan reports and identify which systems have missing patches. Then, prioritise these systems based on the severity of vulnerabilities found.
- IT team lead: Assign responsibility among team members to monitor scan results daily and initiate the patching process for critical vulnerabilities immediately.
Audit / evidence tips
- AskHow often are vulnerability scans conducted on internet-facing systems?
- GoodThe logs should show that scans are being conducted at least once daily
- AskIs the vulnerability database used for scans kept up-to-date?
- GoodThe database should be updated within 24 hours prior to the scan being performed
Cross-framework mappings
How E8-PO-ML1.3 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML1.3 requires a specific practice: daily vulnerability scanning to identify missing OS patches/updates on internet-facing servers ... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1163 | E8-PO-ML1.3 requires daily vulnerability scanning of internet-facing servers and network devices to identify missing OS patches or updates | |
| sync_alt Partially overlaps (5) expand_less | ||
| ISM-1698 | E8-PO-ML1.3 requires daily vulnerability scanning to identify missing operating system patches or updates on internet-facing servers and ... | |
| ISM-1702 | ISM-1702 requires fortnightly vulnerability scanning to identify missing operating system patches on non-internet-facing workstations, se... | |
| ISM-1703 | E8-PO-ML1.3 requires daily vulnerability scanning aimed at identifying missing patches/updates for OS vulnerabilities on internet-facing ... | |
| ISM-1752 | E8-PO-ML1.3 requires daily vulnerability scanning to find missing operating system patches/updates on internet-facing servers and network... | |
| ISM-1900 | E8-PO-ML1.3 requires daily vulnerability scanning to identify missing operating system patches/updates on internet-facing servers and net... | |
| handshake Supports (2) expand_less | ||
| ISM-0298 | E8-PO-ML1.3 requires daily scanning of internet-facing servers and network devices to identify missing OS patches or updates | |
| ISM-1694 | ISM-1694 requires non-critical operating system patches on internet-facing servers and network devices to be applied within two weeks und... | |
| extension Depends on (2) expand_less | ||
| ISM-1808 | E8-PO-ML1.3 requires running a vulnerability scanner at least daily for internet-facing systems to identify missing OS patches/updates | |
| ISM-1877 | ISM-1877 requires organisations to apply critical patches to internet-facing operating systems within 48 hours when vendor-critical or ex... | |
| link Related (1) expand_less | ||
| ISM-1701 | E8-PO-ML1.3 requires a vulnerability scanner to be used at least daily to identify missing patches or updates in operating systems of int... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.