Regularly Scan for Missing Security Patches
Regular checks detect missing updates on devices to fix security gaps.
Plain language
Think of your computer systems like a car that needs regular servicing. If you don't check for and fix missing updates, security holes might let in online attackers, much like leaving your car doors unlocked in a busy parking lot. Regular scanning can prevent these potential threats from becoming real problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 May 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of workstations, non-internet-facing servers and non-internet-facing network devices.
Why it matters
Unpatched internal workstations, servers and network devices can be exploited, causing data compromise, lateral movement and service outages.
Operational notes
Run vulnerability scans at least fortnightly across internal workstations, servers and network devices; prioritise missing OS patches and track remediation to closure.
Implementation tips
- The IT team should set up a schedule for regular checks: Use a calendar reminder or software to perform scans every fortnight. This way, they'll identify any missing updates or patches in the system before issues arise.
- Office managers should maintain a checklist of systems: Keep an inventory of all devices that need to be scanned, such as computers and servers. This helps ensure nothing is missed during regular security checks.
- The IT team should review scan results promptly: After each scan, go through the results to find out which patches are missing. If any critical patches are found missing, plan to install these updates as soon as possible.
- Business leaders should ensure proper resources are allocated: Make sure the IT team has the staff, tools, and time to conduct these scans effectively. Having the right support ensures the job gets done consistently and well.
Audit / evidence tips
- AskThe scanning schedule: Request documentation that shows the regular scanning timetable GoodWould be a consistently updated and followed schedule
- AskThe list of checked systems: Ensure there is a comprehensive inventory of workstations, servers, and network devices included in the scans GoodHas all current devices listed with no serious omissions
- AskRecent scan reports: Obtain the last two or three vulnerability scan reports for review GoodShows prompt acknowledgment and rectification of any vulnerabilities
- AskEvidence of update installations: Request records or logs that show updates have been applied after being identified GoodIncludes dates and details correlating to the scan findings
- AskAbout the tools used for scanning: Find out which software or methods are used to carry out the scans GoodNames recognised tools with proof of their current effectiveness
Cross-framework mappings
How ISM-1702 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1702 requires a specific operational practice: running a vulnerability scanner at least fortnightly to identify missing operating sys... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| handshake Supports (3) expand_less | ||
| extension Depends on (1) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.