Automated Asset Discovery for Vulnerability Scanning
Automatically find devices every two weeks to check for security problems.
Plain language
Imagine if a burglar could sneak into your home because you didn’t know a window was open. This control is about making sure you regularly check to find all the devices on your network, so you can identify and fix security issues. If you don’t do this, you might miss vulnerable devices, risking data leaks or system downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
An automated method of asset discovery is used at least fortnightly to support the detection of assets for subsequent vulnerability scanning activities.
Why it matters
Without fortnightly automated asset discovery, assets can be missed from vulnerability scanning, leaving exploitable weaknesses and increasing breach risk.
Operational notes
Schedule automated asset discovery at least fortnightly; reconcile results with the asset register/CMDB and ensure newly found assets are queued for vulnerability scanning.
Implementation tips
- Business owners should ensure a service provider or IT professional sets up automated tools to scan the network for devices every two weeks. These tools look for all the devices connected to your network and report back with a list.
- IT teams should review logs from these scans to ensure all company devices are found. They do this by cross-referencing with a documented inventory of known devices, ensuring nothing is missing or unexpected.
- Managers should schedule regular meetings with their IT staff to go over scan reports. These meetings should focus on identifying any new devices and ensuring they are approved for use on the network.
- Procurement officers should work with IT teams to ensure any new hardware purchases are added to the network scanning list immediately. This helps in keeping an up-to-date inventory that aligns with the scanning reports.
- System administrators should set automated alerts for when new or unidentified devices appear on the network. These alerts can notify the team to take immediate action like validating the device or removing it if it’s unauthorised.
Audit / evidence tips
-
Askthe list of network-connected devices: Request the output from the latest network scan
Goodresult is when the device inventory from the scan matches your expected device list
-
Askthe schedule of scanning activities: Request the documentation that details the schedule of network scans
Goodis a timetable that shows scans occurring every two weeks as planned
-
Askmeeting records with IT staff: Request minutes or notes from meetings discussing the scan reports
Goodrecord includes dates of meetings, participant names, and follow-up actions
-
Askrecent alerts from the network monitoring system: Request evidence of alerts triggered by new devices
Goodscenario is when alerts are promptly acted upon, with records showing investigative steps
-
Askthe procurement-to-IT update process: Request the document or procedure showing how new devices are logged into the network system
Goodpractice is having a clear, documented process with checks and balances included
Cross-framework mappings
How ISM-1807 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-PO-ML1.8 | E8-PO-ML1.8 mandates the replacement of unsupported operating systems | |
| E8-PO-ML3.2 | E8-PO-ML3.2 requires organisations to scan at least fortnightly to find missing firmware patches and updates | |
| link Related (2) expand_less | ||
| E8-PA-ML1.1 | E8-PA-ML1.1 requires an automated method of asset discovery to be run at least fortnightly to detect assets for subsequent vulnerability ... | |
| E8-PO-ML1.1 | ISM-1807 requires automated asset discovery at least fortnightly to identify assets for later vulnerability scanning | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.