Vulnerability scans shall be conducted after any major system, organization, or infrastructure change to identify any security gaps. Also vulnerability assessments are required to be conducted as per the information security program/strategy of the organization. Required frequencies as of industry standards are listed below.
- ISO 27001: Requires quarterly external and internal vulnerability scans
- HIPAA: Requires a thorough risk assessment and vulnerability process, which can be identified with vulnerability scanning
- PCI DSS: Requires quarterly external and internal scans conducted by an ASV (Approved Scanning Vendor)
- FISMA: Requires documentation and implementation of a vulnerability program to protect the availability, confidentiality, and integrity of IT systems
- NIST: Requires either quarterly or monthly vulnerability scans depending on the particular NIST framework (8001-171, 800-53, etc.)
Overall, an industry best practice is to perform vulnerability scanning at least once per quarter.