Daily Vulnerability Scanning for Internet-Facing Systems
Use a daily scanner to find missing security updates on internet-facing systems to keep them secure.
Plain language
This control is about scanning the systems that are connected to the internet every day to check for any missing security updates. It’s crucial because hackers often look for weaknesses in your systems, and without these updates, those weaknesses can be easily exploited. This could lead to data breaches or allow malware to disrupt your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least daily to identify missing patches or updates for vulnerabilities in operating systems of internet-facing servers and internet-facing network devices.
Why it matters
Ignoring daily scans on internet-facing systems can leave severe vulnerabilities open for attackers, risking data theft or operational disruption.
Operational notes
Run vulnerability scans at least daily on all internet-facing servers and network devices; review findings and prioritise patching or mitigation of critical OS issues.
Implementation tips
- The IT team should schedule a daily scan for internet-facing systems. They can use a vulnerability scanning tool that runs automatically each day, checking every connected server and network device for missing updates.
- The system owner should review the scan reports daily. This involves looking at the list of identified vulnerabilities and working with IT to prioritise which updates or patches need to be applied urgently.
- The IT manager should ensure the scanning tool is properly configured and updated. This means setting the tool to cover all relevant systems and network devices and checking that it's up to date with the latest threat definitions.
- The IT team should document any actions taken after each scan. Record which vulnerabilities were found and the steps taken to address them, ensuring transparency and accountability.
- The office manager should have a brief weekly check-in with the IT team to understand any persistent issues. This involves discussing any patterns of recurring vulnerabilities and what is being done to mitigate them.
Audit / evidence tips
-
Askthe daily scan logs or reports: Request records of the scans performed on internet-facing systems
Goodincludes logs showing daily activity with consistent timestamps
-
Askto see the update or patching records: Request documentation showing which updates were applied following scan discoveries
Goodwould be recent records matching the vulnerabilities identified in the scan reports
-
Askevidence of the scanning tool's version and configuration: Request documentation or a demonstration showing the tool's configuration
Goodis a recent configuration file or screenshot showing current system coverage
-
Askabout the follow-up process for vulnerabilities: Request documentation or an explanation of the process after scanning
Goodis a clear process document with assigned responsibilities and timelines
-
Askto review meeting notes from check-ins with management: Request notes or summaries from any meetings where scan results are discussed
Goodincludes notes with detailed action points and outcomes
Cross-framework mappings
How ISM-1701 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1701 requires a specific operational practice: daily vulnerability scanning to find missing OS patches on internet-facing servers and... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-PA-ML1.2 | E8-PA-ML1.2 requires vulnerability scanning activities to be performed with a scanner that has an up-to-date vulnerability database | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PA-ML1.3 | E8-PA-ML1.3 requires daily vulnerability scanning to identify missing patches or updates for vulnerabilities in online services | |
| handshake Supports (2) expand_less | ||
| E8-PO-ML1.2 | E8-PO-ML1.2 requires use of a vulnerability scanner with an up-to-date vulnerability database for scanning activities | |
| E8-PO-ML1.5 | ISM-1701 requires daily vulnerability scanning of internet-facing servers and network devices to identify missing OS patches or updates | |
| link Related (1) expand_less | ||
| E8-PO-ML1.3 | ISM-1701 requires a vulnerability scanner be used at least daily to identify missing operating system patches or updates on internet-faci... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.