Use a vulnerability scanner fortnightly to find missing OS patches
Use a vulnerability scanner every two weeks to check for missing OS updates on internal systems.
Plain language
Using a vulnerability scanner every two weeks helps make sure your computers and servers are safe from known security weaknesses. Without regular checks, hackers might exploit these weaknesses to access your systems and data, leading to potential data loss or business disruption.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.
Why it matters
Missing your fortnightly scan may leave critical OS vulnerabilities unnoticed, allowing attackers to exploit them and potentially disrupt business operations.
Operational notes
Run the vulnerability scanner at least fortnightly and review findings the same day to identify missing OS patches on workstations and non-internet-facing servers/devices.
Implementation tips
- The IT team should schedule regular vulnerability scans every two weeks to find any missing security updates on computers and servers. Use reliable scanning software and set specific dates to ensure consistency.
- System administrators should ensure the vulnerability scanner's database is updated before each scan to identify the latest threats. They can do this by connecting the scanner to the internet to download updates prior to running a scan.
- Security officers should monitor the results of the scans and prioritise applying patches that fix the most important vulnerabilities. They can use a risk assessment guide to decide which patches need to be applied first.
- The IT team should keep records of each scan's results and actions taken. This involves documenting when the scan was done, what was found, and what was fixed.
- Managers should review scan reports regularly to understand the overall security position of the organisation and ensure the IT team follows through on addressing any vulnerabilities found.
Audit / evidence tips
- AskHow often are vulnerability scans performed on your systems?
- GoodLogs and schedules show vulnerability scans are consistently performed every fortnight, with documented results
- AskHow do you ensure the vulnerability database is current before a scan?
- GoodThere are records showing the database is updated within 24 hours before each scan
Cross-framework mappings
How E8-PO-ML1.4 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML1.4 requires fortnightly vulnerability scanning to identify missing OS patches on internal systems | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| ISM-1163 | E8-PO-ML1.4 requires a vulnerability scanner to be used at least fortnightly to identify missing operating system patches on internal (no... | |
| sync_alt Partially overlaps (1) expand_less | ||
| ISM-1703 | ISM-1703 requires a fortnightly vulnerability scan to identify missing patches or updates for driver vulnerabilities | |
| handshake Supports (1) expand_less | ||
| ISM-0298 | E8-PO-ML1.4 requires fortnightly vulnerability scanning to identify missing OS patches on internal systems | |
| extension Depends on (2) expand_less | ||
| ISM-1696 | ISM-1696 requires organisations to apply critical operating system patches within 48 hours for workstations and non-internet-facing serve... | |
| ISM-1808 | E8-PO-ML1.4 requires fortnightly vulnerability scanning to identify missing OS patches on internal systems | |
| link Related (1) expand_less | ||
| ISM-1702 | ISM-1702 requires a vulnerability scanner to be used at least fortnightly to identify missing patches/updates for operating systems on wo... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.