Regular Vulnerability Scanning for Missing Patches
A scanner checks every two weeks to find missing security patches for drivers.
Plain language
Every two weeks, it’s crucial for someone to run a check on computers and other devices to see if any important updates or patches are missing. If these checks aren’t done, devices might have security holes that cybercriminals could exploit to access sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.
Why it matters
Without fortnightly vulnerability scans, missing driver patches can go undetected, increasing exposure to known exploits and potential compromise.
Operational notes
Run vulnerability scans at least every fortnight, review findings quickly, and track missing driver patches to remediation based on risk and exposure.
Implementation tips
- The IT team should schedule regular vulnerability scans to identify missing patches. They can use a dedicated software tool to automatically scan devices every two weeks, ensuring updates are immediately flagged.
- The office manager or IT administrator should maintain a list of all devices in the company. This list helps ensure the scanning tool covers every piece of equipment that could have outdated patches.
- The system owner should review the scan reports to understand which patches are missing. They should prioritise updates based on the severity of the vulnerabilities found, focusing first on those marked as critical.
- The IT team should document a process for applying patches promptly. This process might involve setting specific days for applying updates or allowing automatic installation of patches outside of working hours to minimise disruption.
- The office manager should communicate the importance of patching security holes to all staff. They can send out a short, friendly email explaining why these updates are important, assuring everyone that this is about keeping the whole business safe.
Audit / evidence tips
-
Askthe latest vulnerability scan report
Goodshows a regularly updated report with clear actions taken for each identified vulnerability
-
Askto see the schedule for vulnerability scans
Goodincludes a documented schedule that aligns with fortnightly scanning
-
Askthe device inventory list. Check that the list is up-to-date and complete
Goodhas all devices listed, including their current patch status, and is checked regularly
-
Askdocuments outlining the patch management process
Gooddescribes a clear process that ensures patches are applied consistently
-
Askcommunication records to staff about patching. Review these to see if they explain security risks and the importance of updates
Goodincludes emails or memos sent to staff that explain why keeping systems updated is crucial
Cross-framework mappings
How ISM-1703 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1703 requires a specific operational practice: using a vulnerability scanner at least fortnightly to identify missing patches or upda... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| sync_alt Partially overlaps (6) expand_less | ||
| handshake Supports (2) expand_less | ||
| link Related (1) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.