KNOWLEDGE CENTER

Resources and commonly asked questions in the InfoSec world

Testing

How Often Should Vulnerability Assessments Run?

This page discusses how often you should run vulnerability scans.


Industry standard advises organizations to scan their internal and external systems at least quarterly. Ideally, it is recommended to perform assessments monthly. Compliance requirements dictate how often assessments must be performed. For instance, below are a few examples of how often scans must be performed to meet compliance:

  • Payment Card Industry (PCI DSS) - Quarterly
  • Health Information Protection Accountability Act (HIPAA) - Scanning not required but states a detailed assessment process must be established.
  • Cyber Security Maturity Model Certification (CMMC) - Weekly to quarterly based on auditor requirements
  • National Institute of Standards and Technology (NIST) - Quarterly to monthly depending on governing framework

Additionally, the more frequently scanning is performed the better chances you are able to identify weaknesses sooner. An assessment should also be performed anytime new changes are made to the network. This will ensure a new vulnerability has not been introduced during the change process and provide an up to date analysis.

More Questions?

We hope you found this helpful.  Please contact us if you have additional questions.

Similar posts