ISM-1703 ASD Information Security Manual (ISM)

Regular Vulnerability Scanning for Missing Patches

A scanner checks every two weeks to find missing security patches for drivers.

Detective ML3 Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security Manual Governance Vulnerability management User devices

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Detective

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Nov 2023

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

ML3

Guideline

Guidelines for system management

Section

System patching

Topic

Scanning for Unmitigated Vulnerabilities

Official control statement

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in drivers.

Source: ASD Information Security Manual (ISM)

Plain language

Every two weeks, it’s crucial for someone to run a check on computers and other devices to see if any important updates or patches are missing. If these checks aren’t done, devices might have security holes that cybercriminals could exploit to access sensitive information.

Why it matters

Without fortnightly vulnerability scans, missing driver patches can go undetected, increasing exposure to known exploits and potential compromise.

Operational notes

Run vulnerability scans at least every fortnight, review findings quickly, and track missing driver patches to remediation based on risk and exposure.

Implementation tips

The IT team should schedule regular vulnerability scans to identify missing patches. They can use a dedicated software tool to automatically scan devices every two weeks, ensuring updates are immediately flagged.
The office manager or IT administrator should maintain a list of all devices in the company. This list helps ensure the scanning tool covers every piece of equipment that could have outdated patches.
The system owner should review the scan reports to understand which patches are missing. They should prioritise updates based on the severity of the vulnerabilities found, focusing first on those marked as critical.
The IT team should document a process for applying patches promptly. This process might involve setting specific days for applying updates or allowing automatic installation of patches outside of working hours to minimise disruption.
The office manager should communicate the importance of patching security holes to all staff. They can send out a short, friendly email explaining why these updates are important, assuring everyone that this is about keeping the whole business safe.

Audit / evidence tips

Ask: the latest vulnerability scan report

Good: shows a regularly updated report with clear actions taken for each identified vulnerability
Ask: to see the schedule for vulnerability scans

Good: includes a documented schedule that aligns with fortnightly scanning
Ask: the device inventory list. Check that the list is up-to-date and complete

Good: has all devices listed, including their current patch status, and is checked regularly
Ask: documents outlining the patch management process

Good: describes a clear process that ensures patches are applied consistently
Ask: communication records to staff about patching. Review these to see if they explain security risks and the importance of updates

Good: includes emails or memos sent to staff that explain why keeping systems updated is crucial

Cross-framework mappings

How ISM-1703 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control	Notes	Details
Partially meets (1)
Annex A 8.8	ISM-1703 requires a specific operational practice: using a vulnerability scanner at least fortnightly to identify missing patches or upda...

E8

Control	Notes	Details
Partially overlaps (6)

E8-AC-ML3.3	E8-AC-ML3.3 requires organisations to implement Microsoft’s vulnerable driver blocklist to stop known vulnerable drivers from running

E8-PA-ML1.4	E8-PA-ML1.4 requires weekly vulnerability scanning to identify missing patches or updates for key end-user and security applications
E8-PA-ML2.1	ISM-1703 requires a vulnerability scanner to be used at least fortnightly to identify missing driver patches or updates

E8-PO-ML1.3	E8-PO-ML1.3 requires daily vulnerability scanning aimed at identifying missing patches/updates for OS vulnerabilities on internet-facing ...
E8-PO-ML1.4	ISM-1703 requires a fortnightly vulnerability scan to identify missing patches or updates for driver vulnerabilities
E8-PO-ML3.2	ISM-1703 requires using a vulnerability scanner at least fortnightly to identify missing patches or updates for vulnerabilities in drivers
Supports (2)

E8-PA-ML1.1	ISM-1703 requires conducting fortnightly vulnerability scanning to identify missing patches for driver vulnerabilities

E8-PO-ML1.1	ISM-1703 requires a vulnerability scanner be used at least fortnightly to identify missing driver patches or updates
Depends on (1)

E8-PA-ML1.2	ISM-1703 requires using a vulnerability scanner at least fortnightly to identify missing patches or updates for driver vulnerabilities
Related (1)

E8-PO-ML3.1	E8-PO-ML3.1 requires a vulnerability scanner to be used at least fortnightly to identify missing driver patches or updates