UnixTime

Research Note

A.8.8 Audit Evidence Pack

- Scanning covers all relevant systems. - Vulnerabilities have owners, severity, risk rating, and target dates. - Critical issues are prioritized by exploitability and exposure....

On this page

What the auditor wants to verify

Audit objective

Verify that vulnerability information is obtained, exposure is evaluated, actions are taken, and remediation is verified.

Evidence to request

Evidence Purpose
Vulnerability management procedure Shows the process is defined
Vulnerability intelligence source list Shows the organization learns about new vulnerabilities
Asset/scanning scope Shows relevant systems are included
Vulnerability scan reports Shows technical testing occurs
Penetration test reports Shows deeper testing for sensitive systems
Risk rating and prioritization records Shows exposure is evaluated
Patch/change records Shows treatment is controlled
Rollback plans Shows failed patches can be reversed
Retest reports Shows remediation is verified
Exception/risk acceptance records Shows unresolved vulnerabilities are owned

Strong evidence

  • Scanning covers all relevant systems.
  • Vulnerabilities have owners, severity, risk rating, and target dates.
  • Critical issues are prioritized by exploitability and exposure.
  • Patch implementation links to change control and rollback.
  • Retests prove closure.
  • Exceptions have approval, residual risk, and review date.

Weak evidence

  • Scan reports exist but no remediation tracker exists.
  • Only sample systems are scanned without rationale.
  • Patches are applied without testing or rollback planning.
  • Findings are closed without retest.
  • Exceptions are informal or indefinite.

Sample interview questions

  • How do you learn about new vulnerabilities?
  • Which assets are included in scanning?
  • How are vulnerabilities risk-rated?
  • What determines patch urgency?
  • How are patches tested and rolled back?
  • How do you prove remediation is complete?

Common nonconformities

  • No structured vulnerability management process.
  • Incomplete scan scope.
  • No owner or due date for findings.
  • No retest evidence.
  • Critical vulnerabilities overdue without risk acceptance.
  • Vulnerability response not linked to change control.