Regular System Vulnerability Scanning and Testing
Systems need regular checks for vulnerabilities, with tests before major updates and annually.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Proactive
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Systems have a continuous monitoring plan that includes: - conducting vulnerability scans for systems at least fortnightly - conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter - analysing identified vulnerabilities to determine their potential impact - implementing mitigations based on risk, effectiveness and cost.
Source: ASD Information Security Manual (ISM)
Plain language
This control focuses on making sure your computer systems are regularly checked for weaknesses. It's like going to the doctor for a regular check-up; if you neglect this, you might leave yourself open to cyber attacks or data breaches, which can cause severe damage to your business's reputation and finances.
Why it matters
Without fortnightly scans and pre-deployment/annual testing, exploitable vulnerabilities may persist unnoticed, enabling compromise, data loss and unplanned outages.
Operational notes
Run automated vulnerability scans at least fortnightly; perform assessments/pen tests before deployment and major changes and annually. Triage findings and remediate by risk.
Implementation tips
- The IT team should schedule regular system scans for vulnerabilities. Use a reliable scanning tool every two weeks to identify potential problems and address them promptly.
- Business managers should coordinate with the IT team to arrange a thorough vulnerability assessment before launching new systems. This includes any major changes or updates to current systems to ensure they are secure before going live.
- System owners should review the results of the scans and assessments with the IT team to understand potential risks. Determine what impact these vulnerabilities might have on the business's operations and data.
- The IT team should work with system owners to prioritise fixes for vulnerabilities based on their severity and the cost-effectiveness of the solutions. Create a clear action plan with deadlines for implementation.
- Business leaders should allocate budget and resources to support the continuous monitoring of systems. Ensure there's a routine annual review to re-evaluate the security measures and make necessary updates.
Audit / evidence tips
-
Ask: the schedule of regular vulnerability scans: Ensure that scans are conducted at least fortnightly
Good: includes records showing fortnightly scans without significant gaps
-
Good: would show assessments conducted shortly before each large system change
-
Ask: to see the vulnerability impact analysis reports: These should describe what each identified issue could potentially affect
Good: includes comprehensive analysis with clear impact descriptions
-
Good: is a living document showing ongoing implementation updates and clear prioritisation according to risk
-
Ask: records of the annual vulnerability assessments: Check these include comprehensive reviews of the system’s security status. Good records would show annual assessments, conducted thoroughly, with actionable outcomes and follow-up plans
Cross-framework mappings
How ISM-1163 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| Annex A 8.8 | ISM-1163 requires continuous monitoring including regular vulnerability assessments | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Partially overlaps (3) | ||
| Supports (2) | ||