Requirement
Requirement lens
This control asks whether the organization obtains vulnerability information, evaluates exposure, and takes appropriate action.
“Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.”
Plain-language meaning
The organization should actively find out what vulnerabilities affect its systems, assess how exposed it is, and respond in a risk-based timeframe. Response can include patching, configuration change, compensating controls, isolation, monitoring, or formal risk acceptance.
Vulnerability management is broader than running a scanner. Scanning finds issues, but the control also expects roles, timelines, risk evaluation, testing, patch/change control, rollback, retesting, and effectiveness review.
Why this matters
Most technical attacks exploit known vulnerabilities. The time between disclosure and active exploitation can be short. If the organization is slow to detect, assess, patch, or mitigate vulnerabilities, attackers get a practical path into systems before the organization acts.
Critical systems may need manual penetration testing or deeper assessment because automated scans often find surface-level weaknesses but miss business logic, chained vulnerabilities, and contextual exposure.
Implementation guidance
Implementer focus
Build a repeatable lifecycle: discover assets, receive vulnerability intelligence, scan/test, assess risk, treat, retest, and report.
1. Define vulnerability management ownership
Assign responsibilities for:
- vulnerability intelligence sources;
- asset/system ownership;
- scanning and testing;
- risk rating and prioritization;
- patch testing;
- implementation;
- rollback;
- retesting;
- exception approval;
- reporting to management.
2. Obtain vulnerability information
Sources may include vendor advisories, security bulletins, threat intelligence, vulnerability databases, managed service reports, cloud provider notices, scanner feeds, and penetration test findings.
3. Scan and test relevant systems
Automated vulnerability scanning should cover relevant systems, not only a convenient sample. Sensitive or critical systems may also need manual penetration testing or deeper technical review.
4. Evaluate exposure and risk
The organization should consider:
| Factor | Why it matters |
|---|---|
| Asset criticality | Determines business impact |
| Exploit availability | Determines urgency |
| Internet exposure | Increases attack likelihood |
| Data sensitivity | Increases confidentiality/integrity impact |
| Existing controls | May reduce exposure |
| Uptime requirements | Affects patch timing and testing |
5. Treat vulnerabilities through change control
Patching should be tested where appropriate and linked to change control. Rollback should be available in case the patch causes failure. Smaller organizations may patch quickly with lighter testing, while larger or highly available environments may need staged testing. The approach should be risk-based.
6. Retest and monitor effectiveness
After remediation, retest to confirm the vulnerability is closed. Track overdue items, repeated findings, exceptions, and vulnerability management performance.
Audit guidance
Auditor focus
Test whether the process finds vulnerabilities quickly, evaluates exposure correctly, takes action in time, and proves remediation through retesting.
Auditors should verify:
- documented vulnerability management procedure;
- vulnerability intelligence sources;
- asset scope for scanning/testing;
- scan configurations and coverage;
- penetration testing approach for sensitive systems;
- vulnerability risk rating and prioritization;
- patch/change records;
- testing and rollback plans;
- exception/risk acceptance records;
- remediation evidence and retest reports;
- metrics and management reporting.
Audit the full lifecycle, not only the scan report. A scan report with no risk decision, no owner, no action plan, and no retest is weak evidence.
Evidence examples
Evidence quality
Strong evidence proves vulnerabilities are found, risk-rated, treated, retested, and reported.
| Evidence | What it proves |
|---|---|
| Vulnerability management procedure | Process is defined |
| Vulnerability source list | Organization receives relevant information |
| Vulnerability scan reports | Systems are tested |
| Penetration test reports | Sensitive systems receive deeper review |
| Risk rating and prioritization record | Exposure is evaluated |
| Patch/change records | Treatment is controlled |
| Rollback plans | Failed patches can be reversed |
| Retest reports | Remediation is verified |
| Exception/risk acceptance records | Unfixed risks are owned |
| Metrics/dashboard | Process is monitored |
Strong evidence
- Scanning covers all relevant systems.
- Vulnerabilities are assigned owners and deadlines.
- Critical vulnerabilities are prioritized by exposure and exploitability.
- Patches are tested and implemented through change control where needed.
- Retests confirm closure.
- Exceptions have risk-based approval and review dates.
Weak evidence
- Vulnerability scans are run but not acted on.
- Only sample systems are scanned without rationale.
- No retesting after remediation.
- Patches are installed without rollback planning.
- Exceptions are informal or indefinite.
- Penetration test findings are treated as one-off project tasks.
Common failures
Implementation watchouts
A.8.8 fails when vulnerability scanning exists but the organization cannot prove risk-based treatment and closure.
| Failure | Why it matters |
|---|---|
| No asset scope | Vulnerable systems are missed |
| No vulnerability intelligence process | New threats are discovered too late |
| Scan-only mindset | Findings do not become treatment actions |
| No patch testing or rollback | Remediation can cause outages |
| No retest | Closure is assumed, not proven |
| Weak exception process | Known vulnerabilities remain unmanaged |
| No metrics | Management cannot see exposure trends |
Exam traps
Exam focus
A.8.8 is not just patch management and not just scanning. It covers vulnerability information, exposure evaluation, action, and verification.
| Trap | Correct interpretation |
|---|---|
| Running a scanner proves compliance | The organization must assess, treat, retest, and monitor findings |
| Every patch must be installed immediately | Timing should be risk-based and consider uptime/resilience |
| Penetration testing replaces vulnerability management | It can supplement scanning for sensitive systems |
| Patching is outside change control | Patch implementation should link to change control and rollback |
| Unfixed vulnerabilities can simply remain open | Exceptions need risk acceptance, owner, and review date |
Related controls and concepts
- A.8 Technological Controls MOC
- A.8.6 Capacity Management
- A.8.7 Protection Against Malware
- A.8.9 Configuration Management
- A.5.8 Information Security in Project Management
- A.5.24 Information Security Incident Management Planning and Preparation
- A.5.26 Response to Information Security Incidents
- Risk Assessment
- Statement of Applicability
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Patch Testing and Rollback Checklist
- Vulnerability Exception and Risk Acceptance Record
- A.8.8 Audit Evidence Pack
- A.8.8 Audit Checklist
KB-ready summary
Mentor takeaway
A.8.8 is a lifecycle control. Strong implementation proves the organization learns about vulnerabilities, understands exposure, acts in a risk-based timeframe, and verifies closure.
- Monitor reliable vulnerability information sources.
- Scan and test relevant systems.
- Risk-rate findings based on exposure and impact.
- Patch or mitigate through controlled change.
- Retest and report closure or accepted residual risk.
Templates and checklists
- Iso27001
- Iso27002
- Annex a
- Technological controls
- Vulnerability management
- Patch management
- Audit
Note Metadata
Aliases: A.8.8, Management of Technical Vulnerabilities, Technical Vulnerability Management
Source: 05 Annex A Technological Controls/A.8.8 Management of Technical Vulnerabilities.md
Control dependency map
How this control connects to work products
Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.
12
links
Requirement context
Primary control text, framework notes, or adjacent controls this note points to.
Implementation artifacts
Templates and working records that help operate the control.
Evidence required
Evidence packs and proof records that support auditability.
Audit checks
Audit questions, checklists, or review material connected to the control.
Risk treatment
Risk records and ISO 27005 material this control mitigates or supports.
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.24 - Information Security Incident Management Planning and Preparation
- ISO 27001 A.5.26 - Response to Information Security Incidents
- ISO 27001 A.5.8 - Information Security in Project Management
- A.8.8 Audit Evidence Pack
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.28 - Secure Coding
- ISO 27001 A.8.29 - Security Testing in Development and Acceptance
- ISO 27001 A.8.32 - Change Management
- ISO 27001 A.8.34 - Protection of Information Systems During Audit Testing
- ISO 27001 A.8.6 - Capacity Management
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- ISO27001-A.8.8 Management of Technical Vulnerabilities
- A.8 Technological Controls Implementation Audit Risk Mapping
- EXAM-030 - Vulnerability and Configuration Management
- ISO 27002 Annex A Control Interpretation Map
- A.8.8 Audit Checklist
- Audit Tool Validation Record
- Emergency Change Record
- Operational Software Installation Procedure
- Patch Testing and Rollback Checklist
- Secure Development Policy
- Security Test Plan
- Security Test Results and Remediation Tracker
- Vulnerability Exception and Risk Acceptance Record
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Annex A Controls MOC