Fortnightly Vulnerability Scanning for Non-Workstations
Check non-work devices every two weeks for missing security updates.
Plain language
This control is about ensuring your non-work computers, like those used for special purposes or devices in key roles, are checked every two weeks for missing security updates. It's important because if there are gaps in security patches, these devices can become an easy target for cyber attacks, leading to data breaches or operational disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of IT equipment other than workstations, servers and network devices.
Why it matters
Without fortnightly scanning of non-workstation IT equipment OSs, missing patches may persist and be exploited, causing compromise or service disruption.
Operational notes
Schedule vulnerability scans at least every 14 days for non-workstation IT equipment operating systems (excluding servers/network devices); track missing patches and verify remediation.
Implementation tips
- IT team should schedule recurring bi-weekly tasks to run vulnerability scans. Use scheduling tools or calendar alerts to ensure this occurs every two weeks without fail. Automate scans where possible to maximise efficiency.
- System administrator should choose and configure a reliable vulnerability scanning tool. Choose software that is easy to use and configure it to look for missing updates specifically on non-workstations like backup servers or IoT devices.
- IT manager should maintain a log of all devices that need regular scanning. Create a checklist or spreadsheet listing all relevant non-work devices to ensure nothing is overlooked during the scans.
- Technical support staff should review scan reports and document findings. After each scan, go through the output to identify missing patches and log details like device, missing update, and date of discovery.
- Business owner or office manager should review the scanning reports and actions taken. Use regular meetings to discuss findings with the IT team to understand any risks and verify they’re being addressed timely.
Audit / evidence tips
-
Askthe vulnerability scanning schedule: Request to see the calendar or task list detailing planned scan dates
Gooda recurring, bi-weekly task setup clearly visible in the schedule
-
Askrecent scanning reports: Request the last few scan reports generated by the vulnerability tool
Goodreports show recent dates with at least two-week intervals and listed vulnerabilities addressed
-
Askdocumentation of the scanning tool and coverage: Request records showing which scanning tools are used and which devices are covered
Gooddetailed records listing both the tool specifics and covered devices
-
Askthe vulnerability management procedure document: Request the procedure guide or policy document that describes the vulnerability scan process
Gooda documented, clear procedure with bi-weekly scan mandate
-
Askincident response updates: Request to see any recent meetings or notes about responses to vulnerabilities found
Goodnotes or meeting minutes show timely actions and resolutions on reported vulnerabilities
Cross-framework mappings
How ISM-1752 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1752 requires organisations to perform a specific, measurable activity: fortnightly vulnerability scanning to identify missing operat... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-PO-ML1.3 | E8-PO-ML1.3 requires daily vulnerability scanning to find missing operating system patches/updates on internet-facing servers and network... | |
| E8-PO-ML3.2 | ISM-1752 requires organisations to use a vulnerability scanner at least fortnightly to identify missing operating system patches on IT eq... | |
| handshake Supports (2) expand_less | ||
| E8-PA-ML1.1 | E8-PA-ML1.1 requires automated asset discovery at least fortnightly to support detection of assets for later vulnerability scanning | |
| E8-PO-ML1.2 | E8-PO-ML1.2 requires that vulnerability scanning uses a scanner with an up-to-date vulnerability database | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.