Quarterly external + internal scans
Demonstrate that the organization conducts credentialed vulnerability scans from both external and internal perspectives at least quarterly, tracks findings by severity, and initiates remediation processes within defined timeframes.
Description
What this control does
This control mandates authenticated vulnerability scanning of all in-scope systems at least once every calendar quarter, using both external scanners (simulating internet-facing threats) and internal scanners (detecting lateral movement risks). External scans target public IP ranges and externally accessible services, while internal scans assess workstations, servers, databases, and network devices within the corporate perimeter. Regular cadence ensures newly disclosed vulnerabilities (CVEs) are detected promptly, and scan results inform remediation workflows tied to severity ratings and SLAs.
Control objective
What auditing this proves
Demonstrate that the organization conducts credentialed vulnerability scans from both external and internal perspectives at least quarterly, tracks findings by severity, and initiates remediation processes within defined timeframes.
Associated risks
Risks this control addresses
- Unpatched critical vulnerabilities in internet-facing systems exploited by attackers for initial access
- Internal systems with high-severity flaws enabling lateral movement after perimeter compromise
- Zero-day or newly disclosed CVEs remaining undetected for extended periods due to infrequent scanning
- Configuration drift or unauthorized software installations introducing exploitable weaknesses between scan cycles
- Lack of prioritized remediation leading to persistent exposure despite awareness of vulnerabilities
- Compliance gaps resulting in audit findings, regulatory penalties, or failed third-party assessments
- Privilege escalation vectors in internal endpoints undetected without authenticated scan credentials
Testing procedure
How an auditor verifies this control
- Obtain the complete asset inventory and confirm the in-scope IP ranges, subnets, and systems designated for external and internal scanning.
- Review the vulnerability management policy and verify the documented requirement for quarterly external and internal scans with defined scan windows.
- Collect scan reports for the most recent four quarters, including timestamps, IP ranges scanned, credential validation logs, and plugin/signature versions used.
- Verify that external scans originated from outside the corporate network boundary and that internal scans used authenticated credentials with sufficient privilege levels.
- Select a representative sample of critical and high-severity findings from each quarter's reports and trace them to remediation tracking tickets or exception approvals.
- Confirm that scan cadence adheres to the quarterly minimum by calculating the interval between consecutive scans for each scope (external and internal).
- Interview the vulnerability management team to validate the process for scan scheduling, scope updates after infrastructure changes, and escalation procedures for critical findings.
- Cross-reference scan coverage against the current asset inventory to identify any systems excluded from scanning without documented justification or compensating controls.
Where this control is tested