UnixTime

Research Note

ISO 27001 A.8.8 - Management of Technical Vulnerabilities

The organization should actively find out what vulnerabilities affect its systems, assess how exposed it is, and respond in a risk-based timeframe. Response can include patching...

On this page

Requirement

Requirement lens

This control asks whether the organization obtains vulnerability information, evaluates exposure, and takes appropriate action.

“Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.”

Plain-language meaning

The organization should actively find out what vulnerabilities affect its systems, assess how exposed it is, and respond in a risk-based timeframe. Response can include patching, configuration change, compensating controls, isolation, monitoring, or formal risk acceptance.

Vulnerability management is broader than running a scanner. Scanning finds issues, but the control also expects roles, timelines, risk evaluation, testing, patch/change control, rollback, retesting, and effectiveness review.

Why this matters

Most technical attacks exploit known vulnerabilities. The time between disclosure and active exploitation can be short. If the organization is slow to detect, assess, patch, or mitigate vulnerabilities, attackers get a practical path into systems before the organization acts.

Critical systems may need manual penetration testing or deeper assessment because automated scans often find surface-level weaknesses but miss business logic, chained vulnerabilities, and contextual exposure.

Implementation guidance

Implementer focus

Build a repeatable lifecycle: discover assets, receive vulnerability intelligence, scan/test, assess risk, treat, retest, and report.

1. Define vulnerability management ownership

Assign responsibilities for:

  • vulnerability intelligence sources;
  • asset/system ownership;
  • scanning and testing;
  • risk rating and prioritization;
  • patch testing;
  • implementation;
  • rollback;
  • retesting;
  • exception approval;
  • reporting to management.

2. Obtain vulnerability information

Sources may include vendor advisories, security bulletins, threat intelligence, vulnerability databases, managed service reports, cloud provider notices, scanner feeds, and penetration test findings.

3. Scan and test relevant systems

Automated vulnerability scanning should cover relevant systems, not only a convenient sample. Sensitive or critical systems may also need manual penetration testing or deeper technical review.

4. Evaluate exposure and risk

The organization should consider:

Factor Why it matters
Asset criticality Determines business impact
Exploit availability Determines urgency
Internet exposure Increases attack likelihood
Data sensitivity Increases confidentiality/integrity impact
Existing controls May reduce exposure
Uptime requirements Affects patch timing and testing

5. Treat vulnerabilities through change control

Patching should be tested where appropriate and linked to change control. Rollback should be available in case the patch causes failure. Smaller organizations may patch quickly with lighter testing, while larger or highly available environments may need staged testing. The approach should be risk-based.

6. Retest and monitor effectiveness

After remediation, retest to confirm the vulnerability is closed. Track overdue items, repeated findings, exceptions, and vulnerability management performance.

Audit guidance

Auditor focus

Test whether the process finds vulnerabilities quickly, evaluates exposure correctly, takes action in time, and proves remediation through retesting.

Auditors should verify:

  • documented vulnerability management procedure;
  • vulnerability intelligence sources;
  • asset scope for scanning/testing;
  • scan configurations and coverage;
  • penetration testing approach for sensitive systems;
  • vulnerability risk rating and prioritization;
  • patch/change records;
  • testing and rollback plans;
  • exception/risk acceptance records;
  • remediation evidence and retest reports;
  • metrics and management reporting.

Audit the full lifecycle, not only the scan report. A scan report with no risk decision, no owner, no action plan, and no retest is weak evidence.

Evidence examples

Evidence quality

Strong evidence proves vulnerabilities are found, risk-rated, treated, retested, and reported.

Evidence What it proves
Vulnerability management procedure Process is defined
Vulnerability source list Organization receives relevant information
Vulnerability scan reports Systems are tested
Penetration test reports Sensitive systems receive deeper review
Risk rating and prioritization record Exposure is evaluated
Patch/change records Treatment is controlled
Rollback plans Failed patches can be reversed
Retest reports Remediation is verified
Exception/risk acceptance records Unfixed risks are owned
Metrics/dashboard Process is monitored

Strong evidence

  • Scanning covers all relevant systems.
  • Vulnerabilities are assigned owners and deadlines.
  • Critical vulnerabilities are prioritized by exposure and exploitability.
  • Patches are tested and implemented through change control where needed.
  • Retests confirm closure.
  • Exceptions have risk-based approval and review dates.

Weak evidence

  • Vulnerability scans are run but not acted on.
  • Only sample systems are scanned without rationale.
  • No retesting after remediation.
  • Patches are installed without rollback planning.
  • Exceptions are informal or indefinite.
  • Penetration test findings are treated as one-off project tasks.

Common failures

Implementation watchouts

A.8.8 fails when vulnerability scanning exists but the organization cannot prove risk-based treatment and closure.

Failure Why it matters
No asset scope Vulnerable systems are missed
No vulnerability intelligence process New threats are discovered too late
Scan-only mindset Findings do not become treatment actions
No patch testing or rollback Remediation can cause outages
No retest Closure is assumed, not proven
Weak exception process Known vulnerabilities remain unmanaged
No metrics Management cannot see exposure trends

Exam traps

Exam focus

A.8.8 is not just patch management and not just scanning. It covers vulnerability information, exposure evaluation, action, and verification.

Trap Correct interpretation
Running a scanner proves compliance The organization must assess, treat, retest, and monitor findings
Every patch must be installed immediately Timing should be risk-based and consider uptime/resilience
Penetration testing replaces vulnerability management It can supplement scanning for sensitive systems
Patching is outside change control Patch implementation should link to change control and rollback
Unfixed vulnerabilities can simply remain open Exceptions need risk acceptance, owner, and review date

KB-ready summary

Mentor takeaway

A.8.8 is a lifecycle control. Strong implementation proves the organization learns about vulnerabilities, understands exposure, acts in a risk-based timeframe, and verifies closure.

  • Monitor reliable vulnerability information sources.
  • Scan and test relevant systems.
  • Risk-rate findings based on exposure and impact.
  • Patch or mitigate through controlled change.
  • Retest and report closure or accepted residual risk.

Templates and checklists

  • Iso27001
  • Iso27002
  • Annex a
  • Technological controls
  • Vulnerability management
  • Patch management
  • Audit

Note Metadata

Aliases: A.8.8, Management of Technical Vulnerabilities, Technical Vulnerability Management

Source: 05 Annex A Technological Controls/A.8.8 Management of Technical Vulnerabilities.md

Control dependency map

How this control connects to work products

Generated from the static research graph. It shows navigation and evidence dependencies; it is not an audit conclusion.

12

links

01
02
03

Evidence required

Evidence packs and proof records that support auditability.

04

Audit checks

Audit questions, checklists, or review material connected to the control.

05

Risk treatment

Risk records and ISO 27005 material this control mitigates or supports.

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Auditor evidence packs

Evidence collections and audit-facing verification material.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.