At least fortnightly use of a vulnerability scanner for firmware
Use a vulnerability scanner every two weeks to find and update missing firmware patches.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Detective
🛠️ E8 mitigation strategy
PO
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
ML3
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.
Source: ASD Essential Eight
Plain language
This control means that every two weeks, your organisation uses a special tool to check if your devices need important updates for their firmware. Firmware is like the inner software for your hardware, and if it's not updated, your devices could be left open to attacks. Without these checks, hackers could exploit weaknesses in your devices, putting your entire system at risk.
Why it matters
Neglecting fortnightly firmware scans can leave critical hardware vulnerabilities exposed to persistent threats, endangering system integrity.
Operational notes
Run a firmware vulnerability scanner at least fortnightly across all device types; keep signatures current and promptly patch or update any flagged firmware.
Implementation tips
- The IT team should schedule regular scans every two weeks to identify missing firmware updates using the vulnerability scanner your organisation employs.
- System administrators should ensure that the vulnerability scanner's database is up to date before running any scans to guarantee accurate and relevant results.
- Security officers should oversee the installation of any missing firmware updates promptly by coordinating with the IT team once the scans are complete.
- The IT manager should document each scanning session and the actions taken afterward to keep a clear record of ongoing security management efforts.
Audit / evidence tips
-
Ask: How often are vulnerability scans for firmware updates conducted?
-
Good: The organisation conducts vulnerability scans for firmware at least every two weeks, and logs confirm this regularity
-
Ask: Is the vulnerability scanner database regularly updated?
-
Good: The database is updated prior to each scanning session, as evidenced by documented update times
Cross-framework mappings
How E8-PO-ML3.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.8 | E8-PO-ML3.2 requires organisations to conduct at least fortnightly vulnerability scanning specifically to identify missing firmware patch... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (4) | ||
| ISM-1703 | ISM-1703 requires using a vulnerability scanner at least fortnightly to identify missing patches or updates for vulnerabilities in drivers | |
| ISM-1752 | ISM-1752 requires organisations to use a vulnerability scanner at least fortnightly to identify missing operating system patches on IT eq... | |
| ISM-1903 | E8-PO-ML3.2 requires organisations to use a vulnerability scanner at least fortnightly to identify missing patches or updates for vulnera... | |
| ISM-1904 | E8-PO-ML3.2 requires organisations to scan firmware at least fortnightly to identify missing patches or updates | |
| Supports (2) | ||
| ISM-0298 | E8-PO-ML3.2 requires organisations to run fortnightly vulnerability scanning to find missing firmware patches and updates | |
| ISM-1807 | E8-PO-ML3.2 requires organisations to scan at least fortnightly to find missing firmware patches and updates | |
| Depends on (1) | ||
| ISM-1808 | E8-PO-ML3.2 requires fortnightly vulnerability scanning to identify missing firmware patches or updates | |
| Related (1) | ||
| ISM-1900 | E8-PO-ML3.2 requires a vulnerability scanner to be used at least fortnightly to identify missing patches or updates for vulnerabilities i... | |