How often do you scan internet-facing systems for vulnerabilities?
Demonstrate that the organization performs vulnerability scanning of internet-facing systems at a defined, documented frequency with evidence of consistent execution and remediation workflows.
Description
What this control does
This control establishes the frequency at which automated vulnerability scanning is performed against internet-facing assets such as web applications, mail servers, VPN gateways, and public APIs. Scanning identifies exploitable weaknesses (CVEs, misconfigurations, weak ciphers) before attackers can leverage them. Regular scanning cadence—typically weekly, monthly, or triggered by change events—ensures new exposures from software updates, infrastructure changes, or newly disclosed vulnerabilities are detected promptly.
Control objective
What auditing this proves
Demonstrate that the organization performs vulnerability scanning of internet-facing systems at a defined, documented frequency with evidence of consistent execution and remediation workflows.
Associated risks
Risks this control addresses
- Unpatched critical vulnerabilities in public-facing systems exploited by automated scanners or threat actors
- Zero-day exploits or newly disclosed CVEs remaining undetected between infrequent scan cycles
- Configuration drift on perimeter devices introducing exploitable weaknesses unknown to security teams
- Compliance violations due to failure to meet mandated scanning frequencies (e.g., PCI DSS quarterly requirements)
- Delayed incident response when vulnerabilities discovered through breach forensics rather than proactive scanning
- Public exposure of sensitive data or services through misconfigurations not caught by sporadic assessments
- Lateral movement opportunities created when internet-facing footholds remain vulnerable for extended periods
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's vulnerability management policy and procedures to identify the documented scanning frequency for internet-facing systems.
- Request an inventory of all internet-facing IP addresses, domains, and assets currently in scope for vulnerability scanning.
- Identify the vulnerability scanning tools in use (e.g., Tenable, Qualys, Rapid7, Nessus) and review configuration settings for scan schedules and coverage.
- Collect scan reports, logs, or dashboard exports for the most recent 6-12 month period covering internet-facing assets.
- Verify that scans executed according to the stated frequency by comparing scheduled scan dates to actual execution timestamps in logs or job history.
- Select a sample of 5-10 internet-facing assets and trace their inclusion in scan reports across multiple scan cycles to confirm continuous coverage.
- Interview the vulnerability management lead to understand processes for handling scan failures, asset onboarding, and frequency exceptions.
- Review evidence of scan findings being routed to ticketing or GRC systems and confirm that high/critical vulnerabilities trigger defined response workflows.