UnixTime

Research Note

EXAM-030 - Vulnerability and Configuration Management

- A.8.8 is not just scanning or patching. - Vulnerability remediation should be risk-based and verified by retest. - Penetration testing supplements vulnerability management; it...

On this page

Memory cues

Control Cue
A.8.8 Management of Technical Vulnerabilities Find vulnerabilities, assess exposure, act, and verify closure
A.8.9 Configuration Management Define secure state, apply it, monitor drift, and review exceptions

Likely exam traps

  • A.8.8 is not just scanning or patching.
  • Vulnerability remediation should be risk-based and verified by retest.
  • Penetration testing supplements vulnerability management; it does not replace it.
  • A.8.9 is not asset inventory. It is secure configuration baseline management.
  • Configuration exceptions can be valid if risk-assessed and compensated.
  • Monitoring alerts are weak evidence unless they are triaged and resolved.

Quick comparison

Question A.8.8 A.8.9
Main concern Known technical vulnerabilities Approved secure configurations and drift
Evidence Advisories, scans, risk ratings, patch/change records, retests, exceptions Baselines, system mapping, compliance reports, deviation records, drift alerts
Common failure Scan reports with no treatment or retest Baselines exist but are not monitored or exceptions are informal
Audit method Follow finding from discovery to closure Compare system config to baseline and review deviations

Practical mentor takeaway

Exam lens

A.8.8 asks whether known weaknesses are found and treated. A.8.9 asks whether approved secure configuration is defined and maintained over time.

  • Iso27001
  • Exam
  • Technological controls
  • Vulnerability management
  • Configuration management

Note Metadata

Aliases: A.8.8 A.8.9 exam cues

Source: 09-Exam-Preparation/EXAM-030-Vulnerability-and-Configuration-Management.md