Topic

Scanning for unmitigated vulnerabilities

Applicable to

all

History

Jun 2024

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of IT equipment other than workstations, servers and network devices.

References to ICT equipment were amended to IT equipment.

Dec 2023

A vulnerability scanner is used at least fortnightly to identify missing patches or updates for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices.

The existing control relating to conducting vulnerability scanning to identify missing patches or updates for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices was relaxed from weekly scanning to fortnightly scanning.

Sep 2023

A vulnerability scanner is used at least weekly to identify missing patches or updates for vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices.

References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.

Jun 2023

A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of ICT equipment other than workstations, servers and network devices.

The existing control relating to ‘scanning for missing patches or updates in operating systems of other ICT equipment’ was amended to ‘scanning for missing patches or updates in operating systems of ICT equipment other than workstations, servers and network devices’ to avoid confusion when the control is read in isolation.

Mar 2022

A vulnerability scanner is used at least weekly to identify missing patches or updates for security vulnerabilities in operating systems of other ICT equipment.

While existing recommendations covered patching security vulnerabilities in workstations, servers and network devices, they did not cover patching security vulnerabilities in other ICT equipment.