Regular Vulnerability Scanning for Applications
A scanner is used every two weeks to find missing updates in most applications.
Plain language
This control means using a tool every two weeks to check if your software is missing any updates, except for office apps and browsers. It's important because outdated software can have security gaps, making it easier for hackers to break in and cause damage to your business or steal information.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in applications other than office productivity suites, web browsers and their extensions, email clients, PDF applications, and security products.
Why it matters
Without at least fortnightly vulnerability scans for non-standard applications, missing patches can go unnoticed, enabling exploitation and potential data breaches.
Operational notes
Schedule automated scans at least every two weeks for non-standard applications, and triage results quickly to patch missing updates and close known vulnerabilities.
Implementation tips
- The IT team should schedule and perform a vulnerability scan every two weeks. They can do this by using a recognised scanning tool to automatically check for any missing updates in the software applications. Make sure the tool is set up properly to exclude office apps and browsers as per the control instructions.
- System owners should review the scan results with the IT team. After each scan, sit down and go over the list of missing updates together. Prioritise which updates need immediate attention based on the risk they pose to your business.
- Managers should ensure the IT budget includes funds for a reliable vulnerability scanning tool. Coordinate with procurement to research and obtain a tool that suits your organisation's needs and complies with the requirements of scanning every two weeks.
- IT staff should be trained to operate the vulnerability scanning tool effectively. Arrange for training sessions or workshops to ensure everyone knows how to use the tool correctly and interpret the scan results.
- The IT team should document the scanning process and outcomes. After each session, record what was scanned, what vulnerabilities were found, and what actions were taken. This documentation will help in audits and tracking progress over time.
Audit / evidence tips
- AskThe vulnerability scan schedule: Verify that there is a consistent, documented schedule for fortnightly scans GoodIs a regular, uninterrupted schedule of scans logged at least every two weeks
- AskScan result reports: Request recent reports generated by the vulnerability scanning tool GoodIncludes a detailed, easy-to-understand report outlining findings and prioritisation of risks
- AskThe remediation action plan: Request documents showing how identified vulnerabilities have been addressed GoodIncludes timely corrections for high-risk vulnerabilities
- AskTraining records: Inquire about evidence showing IT staff have been trained to use the scanning tool GoodIncludes current training completion records for all IT personnel operating the tool
- AskIT budget documentation: Check if the scanning tool and process have been budgeted for GoodIncludes consistent funding allocated to maintain vulnerability scanning capabilities
Cross-framework mappings
How ISM-1700 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-PA-ML1.2 | E8-PA-ML1.2 requires that vulnerability scanning uses a scanner with an up-to-date vulnerability database | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PA-ML1.4 | E8-PA-ML1.4 requires organisations to use a vulnerability scanner at least weekly to identify missing patches or updates in key end-user ... | |
| handshake Supports (1) expand_less | ||
| E8-PA-ML2.2 | E8-PA-ML2.2 requires organisations to apply vendor patches/mitigations for vulnerabilities in non-critical applications within one month | |
| extension Depends on (1) expand_less | ||
| E8-PO-ML1.1 | ISM-1700 requires fortnightly vulnerability scanning to identify missing patches/updates for non-core applications | |
| link Related (1) expand_less | ||
| E8-PA-ML2.1 | E8-PA-ML2.1 requires a vulnerability scanner be used at least fortnightly to identify missing patches or updates for vulnerabilities in n... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.