Skip to content
arrow_back
ISM-1808
search
ISM-1808 policy ASD Information Security Manual (ISM)

Vulnerability Scanning with Updated Tools

Ensure vulnerability scanners are updated regularly to identify system weaknesses.

Detective ML1 ML2 ML3 NC OS P ASD Information Security ManualGuidelines for system managementvulnerabilityvulnerability management
record_voice_over

Plain language

You need to use a vulnerability scanner that is kept up to date to find weaknesses in your systems. If you don’t keep the scanner updated, you might miss security holes that hackers could exploit, leading to data breaches or other serious issues.

Framework

ASD Information Security Manual (ISM)

Control effect

Detective

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2022

Control Stack last updated

18 May 2026

E8 maturity levels

ML1, ML2, ML3

Guideline

Guidelines for system management

Section

System patching

Topic

Scanning for Unmitigated Vulnerabilities

Official control statement

A vulnerability scanner with an up-to-date vulnerability database is used for vulnerability scanning activities.
policy ASD Information Security Manual (ISM) ISM-1808
priority_high

Why it matters

If vulnerability scanners or their databases are outdated, scans miss known CVEs, leaving exposed weaknesses that attackers can exploit.

settings

Operational notes

Update the scanner engine and vulnerability database at least weekly (or sooner if available) and verify updates before scheduled scans run.

build

Implementation tips

  • System owners should ensure that a reliable vulnerability scanner is selected for scanning activities. They can do this by researching products that are known for frequent updates and compatibility with their systems.
  • The IT team should schedule regular updates for the vulnerability scanner. Set a specific calendar reminder to check and apply updates, ideally monthly, or whenever new updates are released by the vendor.
  • Managers should coordinate with their IT teams to ensure that vulnerability scans are consistently performed. They can do this by setting up a recurring task in project management software and checking in weekly.
  • Procurement officers should acquire licences for the vulnerability scanning tool. They can ensure compliance by purchasing from approved vendors who provide regular updates and support.
  • The IT team should prepare a report of identified vulnerabilities following each scan. This can be done by exporting and summarising scan results, then prioritising issues based on risk.
fact_check

Audit / evidence tips

  • AskThe vulnerability scanner’s update logs GoodShows regular updates, at least monthly
  • GoodReport clearly lists recent scans with detailed findings and dates
  • AskTo see a schedule of when vulnerability scans are conducted GoodShows a consistent and frequent scanning routine, like monthly scans
  • GoodWill show a deliberate choice based on current needs and update availability
  • AskMeeting notes discussing the results of scans with relevant action items GoodIncludes dated notes showing decisions and follow-up actions
link

Cross-framework mappings

How ISM-1808 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (1) expand_less
Annex A 8.8 ISM-1808 requires a specific technical measure: using a vulnerability scanner with an up-to-date vulnerability database for scanning acti...

E8

Control Notes Details
handshake Supports (2) expand_less
extension Depends on (4) expand_less
link Related (2) expand_less

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls