Assess System Compromise Risks Often
Regularly check how likely systems can be hacked due to known vulnerabilities.
Plain language
This control is about regularly checking your system to see how vulnerable it might be to cyberattacks due to known weaknesses. It’s important because if you don’t, you risk being unexpectedly hacked, which could lead to stolen data, upset clients, and even losing money.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system managementSection
System patchingOfficial control statement
The likelihood of system compromise is frequently assessed when working exploits exist for unmitigated vulnerabilities.
Why it matters
Unchecked vulnerabilities with known exploits can swiftly lead to system breaches, risking critical data loss and operational disruption.
Operational notes
Integrate exploit monitoring into routine risk assessments; prioritise immediate mitigation when working exploits exist for unmitigated vulnerabilities.
Implementation tips
- The IT team should regularly scan all computer systems for vulnerabilities. They can use scanning tools that search for known weaknesses in the systems. Make sure this process happens every month and whenever new updates are available.
- The manager should ensure that someone is responsible for reviewing scan results. Assign this task to an experienced IT employee who can identify which vulnerabilities are critical and need immediate attention.
- Business owners should prioritise addressing critical vulnerabilities. After reviewing with the IT team, decide which risks are the highest priority and allocate resources to mitigate them as quickly as possible.
- The IT team should keep software up to date to reduce vulnerabilities. Set automatic updates wherever possible and keep a manual schedule for updating any systems that don't auto-update.
- System owners should work with the IT team to establish a response plan for when vulnerabilities are found. This plan should outline who takes what action and include steps to follow up after mitigation to ensure the vulnerabilities have been successfully addressed.
Audit / evidence tips
-
Askthe most recent vulnerability scan report: Request a recent scan result document to review
Goodsign includes up-to-date results with notes on action taken or planned for each listed vulnerability
-
Askmeeting notes where vulnerabilities were discussed: Request documentation of discussions or meetings on system vulnerabilities
-
Askabout the update schedule for software: Request the schedule or records for software updates
Goodschedule will show regular update intervals, with few exceptions and reasons documented
-
Askrecords of patched vulnerabilities: Request a list of patched vulnerabilities. Check which ones were patched promptly and if any remain open. Good records will show dated entries for each patch and minimal outstanding critical vulnerabilities
-
Askthe response plan document: Request to see the document outlining the steps to take when vulnerabilities are found
Cross-framework mappings
How ISM-1921 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (6) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.