What the auditor wants to verify
Audit objective
Verify that vulnerability information is obtained, exposure is evaluated, actions are taken, and remediation is verified.
Evidence to request
| Evidence | Purpose |
|---|---|
| Vulnerability management procedure | Shows the process is defined |
| Vulnerability intelligence source list | Shows the organization learns about new vulnerabilities |
| Asset/scanning scope | Shows relevant systems are included |
| Vulnerability scan reports | Shows technical testing occurs |
| Penetration test reports | Shows deeper testing for sensitive systems |
| Risk rating and prioritization records | Shows exposure is evaluated |
| Patch/change records | Shows treatment is controlled |
| Rollback plans | Shows failed patches can be reversed |
| Retest reports | Shows remediation is verified |
| Exception/risk acceptance records | Shows unresolved vulnerabilities are owned |
Strong evidence
- Scanning covers all relevant systems.
- Vulnerabilities have owners, severity, risk rating, and target dates.
- Critical issues are prioritized by exploitability and exposure.
- Patch implementation links to change control and rollback.
- Retests prove closure.
- Exceptions have approval, residual risk, and review date.
Weak evidence
- Scan reports exist but no remediation tracker exists.
- Only sample systems are scanned without rationale.
- Patches are applied without testing or rollback planning.
- Findings are closed without retest.
- Exceptions are informal or indefinite.
Sample interview questions
- How do you learn about new vulnerabilities?
- Which assets are included in scanning?
- How are vulnerabilities risk-rated?
- What determines patch urgency?
- How are patches tested and rolled back?
- How do you prove remediation is complete?
Common nonconformities
- No structured vulnerability management process.
- Incomplete scan scope.
- No owner or due date for findings.
- No retest evidence.
- Critical vulnerabilities overdue without risk acceptance.
- Vulnerability response not linked to change control.
Related notes
- Audit
- Evidence
- A8 8
- Iso27001
Note Metadata
Aliases: A.8.8 Evidence
Source: 04 Audit Evidence Packs/A.8.8 Audit Evidence Pack.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- Audit Evidence MOC
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.8 Management of Technical Vulnerabilities
- A.8.8 Audit Checklist
- Patch Testing and Rollback Checklist
- Vulnerability Exception and Risk Acceptance Record
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Audit Evidence Index