Fortnightly System Vulnerability Scanning
Scan systems every two weeks to find and fix unpatched security flaws.
Plain language
This control means that every two weeks, your business should scan its computer systems to look for software that needs updating. This is important because unpatched software can have security holes that hackers can exploit to steal data or disrupt operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in firmware.
Why it matters
If firmware isn’t scanned at least fortnightly, missing patches can persist and be exploited, causing service disruption or data compromise.
Operational notes
Run an authenticated vulnerability scan at least fortnightly and track firmware patch gaps; prioritise and remediate high/critical findings quickly.
Implementation tips
- The IT team should schedule regular vulnerability scans: Decide on specific days every two weeks to perform these scans. Use reliable software tools designed for scanning and ensure they cover all devices and systems used in the organisation.
- The system owner should review scan results: After each scan, check the report to see which software lacks necessary updates. Prioritise fixes for the most critical vulnerabilities first, based on the risk to the organisation.
- The manager should communicate the importance: Explain to the team why these checks are essential for keeping both the company and customer data secure, thereby encouraging their cooperation in timely patching.
- The IT team should document findings and actions: Keep a detailed record of all vulnerabilities found and how they were fixed. This document should include dates, actions taken, and confirmation that updates were applied.
- The manager should ensure backup support: Arrange for a secondary person in case the primary IT contact is unavailable. Make sure this person is trained to run scans and apply updates as needed.
Audit / evidence tips
-
Askthe vulnerability scan schedule: Request to see a calendar or schedule showing planned scan dates
GoodA schedule with clearly marked biweekly scans
-
Askrecent scan reports: Obtain the latest scan reports that list any vulnerabilities found
GoodComprehensive reports showing vulnerability details for each system
-
Askthe vulnerability action log: Request a log of actions taken following each scan
GoodA detailed log with precise actions linked to each vulnerability found
-
Askabout follow-up communication: See if there have been communications sent to staff or relevant team members following scans
GoodClear communications advising on scanning outcomes and required actions
-
Askbackup personnel records: Confirm who is designated as backup support for the scanning process
GoodA named backup with completed training records on vulnerability scanning
Cross-framework mappings
How ISM-1900 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.8 | ISM-1900 requires a specific operational practice: using a vulnerability scanner at least fortnightly to identify missing firmware patche... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-PO-ML1.3 | E8-PO-ML1.3 requires daily vulnerability scanning to identify missing operating system patches/updates on internet-facing servers and net... | |
| handshake Supports (2) expand_less | ||
| E8-PO-ML3.3 | ISM-1900 requires fortnightly vulnerability scanning to identify missing firmware patches or updates | |
| E8-PO-ML3.8 | E8-PO-ML3.8 requires organisations to remediate non-critical firmware vulnerabilities within one month when no working exploits exist | |
| extension Depends on (1) expand_less | ||
| E8-PO-ML1.2 | ISM-1900 requires using a vulnerability scanner at least fortnightly to identify missing firmware patches or updates | |
| link Related (1) expand_less | ||
| E8-PO-ML3.2 | E8-PO-ML3.2 requires a vulnerability scanner to be used at least fortnightly to identify missing patches or updates for vulnerabilities i... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.