Regular System Vulnerability Scanning and Testing
Systems need regular checks for vulnerabilities, with tests before major updates and annually.
Plain language
This control focuses on making sure your computer systems are regularly checked for weaknesses. It's like going to the doctor for a regular check-up; if you neglect this, you might leave yourself open to cyber attacks or data breaches, which can cause severe damage to your business's reputation and finances.
Framework
ASD Information Security Manual (ISM)
Control effect
Proactive
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Systems have a continuous monitoring plan that includes: - conducting vulnerability scans for systems at least fortnightly - conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter - analysing identified vulnerabilities to determine their potential impact - implementing mitigations based on risk, effectiveness and cost.
Why it matters
Without fortnightly scans and pre-deployment/annual testing, exploitable vulnerabilities may persist unnoticed, enabling compromise, data loss and unplanned outages.
Operational notes
Run automated vulnerability scans at least fortnightly; perform assessments/pen tests before deployment and major changes and annually. Triage findings and remediate by risk.
Implementation tips
- The IT team should schedule regular system scans for vulnerabilities. Use a reliable scanning tool every two weeks to identify potential problems and address them promptly.
- Business managers should coordinate with the IT team to arrange a thorough vulnerability assessment before launching new systems. This includes any major changes or updates to current systems to ensure they are secure before going live.
- System owners should review the results of the scans and assessments with the IT team to understand potential risks. Determine what impact these vulnerabilities might have on the business's operations and data.
- The IT team should work with system owners to prioritise fixes for vulnerabilities based on their severity and the cost-effectiveness of the solutions. Create a clear action plan with deadlines for implementation.
- Business leaders should allocate budget and resources to support the continuous monitoring of systems. Ensure there's a routine annual review to re-evaluate the security measures and make necessary updates.
Audit / evidence tips
-
Askthe schedule of regular vulnerability scans: Ensure that scans are conducted at least fortnightly
Goodincludes records showing fortnightly scans without significant gaps
-
Goodwould show assessments conducted shortly before each large system change
-
Askto see the vulnerability impact analysis reports: These should describe what each identified issue could potentially affect
Goodincludes comprehensive analysis with clear impact descriptions
-
Goodis a living document showing ongoing implementation updates and clear prioritisation according to risk
-
Askrecords of the annual vulnerability assessments: Check these include comprehensive reviews of the system’s security status. Good records would show annual assessments, conducted thoroughly, with actionable outcomes and follow-up plans
Cross-framework mappings
How ISM-1163 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 8.8 | ISM-1163 requires continuous monitoring including regular vulnerability assessments | |
| handshake Supports (1) expand_less | ||
| Annex A 5.7 | Annex A 5.7 requires organisations to collect and analyse threat information to produce threat intelligence that informs security decisions | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (5) expand_less | ||
| sync_alt Partially overlaps (4) expand_less | ||
| handshake Supports (5) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.