Regularly Scan for Missing Security Patches
Regular checks detect missing updates on devices to fix security gaps.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Detective
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingA vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.
Source: ASD Information Security Manual (ISM)
Plain language
Think of your computer systems like a car that needs regular servicing. If you don't check for and fix missing updates, security holes might let in online attackers, much like leaving your car doors unlocked in a busy parking lot. Regular scanning can prevent these potential threats from becoming real problems.
Why it matters
Unpatched internal workstations, servers and network devices can be exploited, causing data compromise, lateral movement and service outages.
Operational notes
Run vulnerability scans at least fortnightly across internal workstations, servers and network devices; prioritise missing OS patches and track remediation to closure.
Implementation tips
- The IT team should set up a schedule for regular checks: Use a calendar reminder or software to perform scans every fortnight. This way, they'll identify any missing updates or patches in the system before issues arise.
-
Good: scanner will systematically check for updates in various parts of the system
- Office managers should maintain a checklist of systems: Keep an inventory of all devices that need to be scanned, such as computers and servers. This helps ensure nothing is missed during regular security checks.
- The IT team should review scan results promptly: After each scan, go through the results to find out which patches are missing. If any critical patches are found missing, plan to install these updates as soon as possible.
- Business leaders should ensure proper resources are allocated: Make sure the IT team has the staff, tools, and time to conduct these scans effectively. Having the right support ensures the job gets done consistently and well.
Audit / evidence tips
-
Ask: the scanning schedule: Request documentation that shows the regular scanning timetable
Good: would be a consistently updated and followed schedule
-
Ask: the list of checked systems: Ensure there is a comprehensive inventory of workstations, servers, and network devices included in the scans
Good: has all current devices listed with no serious omissions
-
Ask: recent scan reports: Obtain the last two or three vulnerability scan reports for review
Good: shows prompt acknowledgment and rectification of any vulnerabilities
-
Ask: evidence of update installations: Request records or logs that show updates have been applied after being identified
Good: includes dates and details correlating to the scan findings
-
Ask: about the tools used for scanning: Find out which software or methods are used to carry out the scans
Good: names recognised tools with proof of their current effectiveness
Cross-framework mappings
How ISM-1702 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.8 | ISM-1702 requires a specific operational practice: running a vulnerability scanner at least fortnightly to identify missing operating sys... | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially overlaps (1) | ||
| E8-PO-ML1.3 | ISM-1702 requires fortnightly vulnerability scanning to identify missing operating system patches on non-internet-facing workstations, se... | |
| Supports (2) | ||
| E8-PO-ML3.3 | ISM-1702 requires organisations to run a vulnerability scanner fortnightly to identify missing operating system patches on non-internet-f... | |
| E8-PO-ML3.4 | ISM-1702 requires fortnightly scanning to identify missing operating system patches on workstations, non-internet-facing servers, and non... | |
| Depends on (1) | ||
| E8-PO-ML1.2 | ISM-1702 requires organisations to use a vulnerability scanner at least fortnightly to identify missing operating system patches on speci... | |
| Related (1) | ||
| E8-PO-ML1.4 | ISM-1702 requires a vulnerability scanner to be used at least fortnightly to identify missing patches/updates for operating systems on wo... | |