Weekly Vulnerability Scanning for Software Updates
Every week, a scanner checks for software updates to fix security issues in commonly used applications.
Plain language
Every week, a system checks our software to see if there are any updates we need to install. This process is important because missing updates can leave our computers open to attacks, potentially exposing private information and harming our operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products.
Why it matters
Without weekly vulnerability scanning, missing patches in browsers, email clients, PDF apps and security tools can be exploited, causing breaches and outages.
Operational notes
Run the scanner at least weekly across endpoints; review reports, prioritise missing patches for browsers, office suites and security products, and track remediation to closure.
Implementation tips
- IT team: Schedule a weekly task to run a vulnerability scanner across all office software. Use tools that automatically check for updates in common applications like the web browser and office software. Ensure the scanner is set to run on a specific day each week to maintain consistency.
- System administrator: Make a list of all the software used within the organisation that needs regular updates. Include software such as web browsers, email apps, and PDF readers. Use this list to configure the vulnerability scanner to check these specific applications.
- Office manager: Coordinate with the IT team to educate staff on the importance of keeping systems updated. Explain how regular updates protect sensitive information and keep the business running smoothly. Use simple examples to illustrate how a lack of updates could lead to data breaches.
- IT support: Review the scanner's reports weekly to identify any missing updates. Prioritise applying critical patches or updates that address high-risk vulnerabilities. Ensure that any detected vulnerabilities are promptly assessed and resolved.
- System owner: Monitor the overall process to make sure scans are completed and updates are applied. Set up a regular review process to ensure the scanning procedure is effective and adapts to any changes in software usage or threats.
Audit / evidence tips
-
Aska log of weekly vulnerability scans conducted: Request documentation showing when and how often scans were carried out
Goodincludes a complete record of weekly checks over the past three months
-
Aska list of software covered by the scanner: Request a documented list that includes all major applications used in the office
Goodfeatures all office productivity and security software with dates of last updates
-
Askthe update implementation report: Request reports or logs that indicate when identified updates were applied
Goodwill show updates applied within a reasonable period after detection
-
Askmeeting notes between the IT team and office manager: Request documentation from discussions about update processes and education of staff
Goodincludes meeting minutes and educational material made for staff
-
Aska policy document on software updating: Request the organisation's written policy on keeping software up-to-date
Goodincludes a policy that is current and thoroughly outlines responsibilities and processes
Cross-framework mappings
How ISM-1699 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| E8-PA-ML1.2 | E8-PA-ML1.2 requires use of a vulnerability scanner with an up-to-date vulnerability database for scanning activities | |
| E8-PO-ML1.2 | E8-PO-ML1.2 requires that vulnerability scanning activities use a vulnerability scanner with an up-to-date vulnerability database | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PA-ML2.1 | ISM-1699 requires weekly vulnerability scanning to identify missing patches/updates for a defined set of key end-user software (productiv... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML3.1 | E8-PA-ML3.1 requires organisations to deploy vendor mitigations within 48 hours for critical or exploited vulnerabilities in specified ap... | |
| link Related (1) expand_less | ||
| E8-PA-ML1.4 | E8-PA-ML1.4 requires a vulnerability scanner be used at least weekly to identify missing patches or updates for office productivity suite... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.