Vulnerability Scanning with Updated Tools
Ensure vulnerability scanners are updated regularly to identify system weaknesses.
Plain language
You need to use a vulnerability scanner that is kept up to date to find weaknesses in your systems. If you don’t keep the scanner updated, you might miss security holes that hackers could exploit, leading to data breaches or other serious issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1, ML2, ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
Why it matters
If vulnerability scanners or their databases are outdated, scans miss known CVEs, leaving exposed weaknesses that attackers can exploit.
Operational notes
Update the scanner engine and vulnerability database at least weekly (or sooner if available) and verify updates before scheduled scans run.
Implementation tips
- System owners should ensure that a reliable vulnerability scanner is selected for scanning activities. They can do this by researching products that are known for frequent updates and compatibility with their systems.
- The IT team should schedule regular updates for the vulnerability scanner. Set a specific calendar reminder to check and apply updates, ideally monthly, or whenever new updates are released by the vendor.
- Managers should coordinate with their IT teams to ensure that vulnerability scans are consistently performed. They can do this by setting up a recurring task in project management software and checking in weekly.
- Procurement officers should acquire licenses for the vulnerability scanning tool. They can ensure compliance by purchasing from approved vendors who provide regular updates and support.
- The IT team should prepare a report of identified vulnerabilities following each scan. This can be done by exporting and summarising scan results, then prioritising issues based on risk.
Audit / evidence tips
-
Askthe vulnerability scanner’s update logs
Goodshows regular updates, at least monthly
-
Goodreport clearly lists recent scans with detailed findings and dates
-
Askto see a schedule of when vulnerability scans are conducted
Goodshows a consistent and frequent scanning routine, like monthly scans
-
Goodwill show a deliberate choice based on current needs and update availability
-
Askmeeting notes discussing the results of scans with relevant action items
Goodincludes dated notes showing decisions and follow-up actions
Cross-framework mappings
How ISM-1808 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1808 requires a specific technical measure: using a vulnerability scanner with an up-to-date vulnerability database for scanning acti... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| extension Depends on (4) expand_less | ||
| link Related (2) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.