Memory cues
| Control | Cue |
|---|---|
| A.8.8 Management of Technical Vulnerabilities | Find vulnerabilities, assess exposure, act, and verify closure |
| A.8.9 Configuration Management | Define secure state, apply it, monitor drift, and review exceptions |
Likely exam traps
- A.8.8 is not just scanning or patching.
- Vulnerability remediation should be risk-based and verified by retest.
- Penetration testing supplements vulnerability management; it does not replace it.
- A.8.9 is not asset inventory. It is secure configuration baseline management.
- Configuration exceptions can be valid if risk-assessed and compensated.
- Monitoring alerts are weak evidence unless they are triaged and resolved.
Quick comparison
| Question | A.8.8 | A.8.9 |
|---|---|---|
| Main concern | Known technical vulnerabilities | Approved secure configurations and drift |
| Evidence | Advisories, scans, risk ratings, patch/change records, retests, exceptions | Baselines, system mapping, compliance reports, deviation records, drift alerts |
| Common failure | Scan reports with no treatment or retest | Baselines exist but are not monitored or exceptions are informal |
| Audit method | Follow finding from discovery to closure | Compare system config to baseline and review deviations |
Practical mentor takeaway
Exam lens
A.8.8 asks whether known weaknesses are found and treated. A.8.9 asks whether approved secure configuration is defined and maintained over time.
- Iso27001
- Exam
- Technological controls
- Vulnerability management
- Configuration management
Note Metadata
Aliases: A.8.8 A.8.9 exam cues
Source: 09-Exam-Preparation/EXAM-030-Vulnerability-and-Configuration-Management.md