At least fortnightly use of a vulnerability scanner for firmware
Use a vulnerability scanner every two weeks to find and update missing firmware patches.
Plain language
This control means that every two weeks, your organisation uses a special tool to check if your devices need important updates for their firmware. Firmware is like the inner software for your hardware, and if it's not updated, your devices could be left open to attacks. Without these checks, hackers could exploit weaknesses in your devices, putting your entire system at risk.
Framework
ASD Essential Eight
Control effect
Detective
E8 mitigation strategy
PO
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.
Why it matters
Neglecting fortnightly firmware scans can leave critical hardware vulnerabilities exposed to persistent threats, endangering system integrity.
Operational notes
Run a firmware vulnerability scanner at least fortnightly across all device types; keep signatures current and promptly patch or update any flagged firmware.
Implementation tips
- The IT team should schedule regular scans every two weeks to identify missing firmware updates using the vulnerability scanner your organisation employs.
- System administrators should ensure that the vulnerability scanner's database is up to date before running any scans to guarantee accurate and relevant results.
- Security officers should oversee the installation of any missing firmware updates promptly by coordinating with the IT team once the scans are complete.
- The IT manager should document each scanning session and the actions taken afterward to keep a clear record of ongoing security management efforts.
Audit / evidence tips
-
AskHow often are vulnerability scans for firmware updates conducted?
-
GoodThe organisation conducts vulnerability scans for firmware at least every two weeks, and logs confirm this regularity
-
AskIs the vulnerability scanner database regularly updated?
-
GoodThe database is updated prior to each scanning session, as evidenced by documented update times
Cross-framework mappings
How E8-PO-ML3.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | E8-PO-ML3.2 requires organisations to conduct at least fortnightly vulnerability scanning specifically to identify missing firmware patch... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (4) expand_less | ||
| ISM-1703 | ISM-1703 requires using a vulnerability scanner at least fortnightly to identify missing patches or updates for vulnerabilities in drivers | |
| ISM-1752 | ISM-1752 requires organisations to use a vulnerability scanner at least fortnightly to identify missing operating system patches on IT eq... | |
| ISM-1903 | E8-PO-ML3.2 requires organisations to use a vulnerability scanner at least fortnightly to identify missing patches or updates for vulnera... | |
| ISM-1904 | E8-PO-ML3.2 requires organisations to scan firmware at least fortnightly to identify missing patches or updates | |
| handshake Supports (2) expand_less | ||
| ISM-0298 | E8-PO-ML3.2 requires organisations to run fortnightly vulnerability scanning to find missing firmware patches and updates | |
| ISM-1807 | E8-PO-ML3.2 requires organisations to scan at least fortnightly to find missing firmware patches and updates | |
| extension Depends on (1) expand_less | ||
| ISM-1808 | E8-PO-ML3.2 requires fortnightly vulnerability scanning to identify missing firmware patches or updates | |
| link Related (1) expand_less | ||
| ISM-1900 | E8-PO-ML3.2 requires a vulnerability scanner to be used at least fortnightly to identify missing patches or updates for vulnerabilities i... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.