Three months, or 90 days, is considered the maximum amount of time that should be allowed to pass between quarterly vulnerability scans. If unforeseen circumstances occur that impact an entity’s ability to complete scheduled scans, every effort should be made to perform scans as soon as possible (for example, within a day or two) of the scheduled scan date. Where an entity has advance notice of factors that may delay scans or impede their ability to address vulnerabilities (for example, scheduled system downtime, or predefined no-change windows that prevent system updates), the entity should strive to schedule scans before the 90 day period is reached.
In the case of legitimate technical or documented business constraints, and where the entity has sufficiently implemented other controls to mitigate the risk associated with not meeting the requirement, the entity may use a Compensating Controls Worksheet to document how they have addressed the intent of Requirement 11.2. Please refer to Appendix B (Compensating Controls) and Appendix C (Compensating Controls Worksheet) for further information.
In addition to the quarterly scans, vulnerability scans are also required after significant changes (Requirement 11.2.3). The occurrence of these scans is separate and independent of the quarterly scan schedule. Scans that are performed to verify a significant change do not replace a quarterly scan, and the occurrence of a quarterly scan does not replace the requirement to perform scans after a significant change.
Article Number 1087