Daily Vulnerability Scanning for Missing Updates
Online services are checked daily for missing updates to prevent vulnerabilities.
Plain language
Every day, businesses should check their online services to make sure they have all the latest updates. These updates fix weaknesses that hackers could use to cause harm. If you skip these checks, your business might be left open to cyber attacks that could disrupt operations or steal sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in online services.
Why it matters
Without daily vulnerability scans for missing updates, online services may remain unpatched and quickly exploited, causing compromise, service disruption and data exposure.
Operational notes
Run vulnerability scans at least daily across all online services, review findings promptly, and prioritise remediation of missing patches/updates. Track exceptions and rescan after patching.
Implementation tips
- Assign the IT team to use a reliable vulnerability scanner every day. Set up this scanner so it automatically checks for new updates or patches required for all online services. Make sure the team reviews the scanner reports each day to quickly spot and respond to any missing updates.
- Have the system owner regularly check the scanner settings. Ensure that the scanner is configured to examine all existing online services and to notify the IT team of any missing updates. This helps to guarantee that no service is overlooked.
- Encourage managers to have regular meetings with the IT team to discuss scanning patterns and results. During these meetings, verify the frequency and comprehensiveness of scans to ensure no crucial updates are missed.
- Allocate responsibility to the system administrator for documenting the scanning process. They should write clear instructions outlining how the scanner operates and list the platforms it covers, making it easier for others to understand and manage the process.
- Encourage managers to train staff regularly on recognising signs of potential vulnerabilities. This might involve workshops or simple online courses that remind everyone why updates are important and how to keep systems secure.
Audit / evidence tips
- AskThe daily vulnerability scan reports: Request the automated reports produced by the scanning tool over the past month GoodReport would show daily entries with detected vulnerabilities and clear actions taken
- AskTo see training records related to vulnerability management
- AskMinutes from meetings where scan results were discussed
Cross-framework mappings
How ISM-1698 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1698 requires organisations to use a vulnerability scanner at least daily to identify missing patches or updates for vulnerabilities ... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (2) expand_less | ||
| extension Depends on (1) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.