When to use this
Use this checklist during an internal audit of vulnerability intelligence, scanning, risk evaluation, remediation, patching, exceptions, and retesting.
Related controls
- A.8.8 Management of Technical Vulnerabilities
- A.8.8 Audit Evidence Pack
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Patch Testing and Rollback Checklist
- Vulnerability Exception and Risk Acceptance Record
Audit checklist
- Review vulnerability management procedure.
- Review vulnerability information sources.
- Review asset/scanning scope.
- Sample vulnerability scan reports.
- Check penetration testing approach for sensitive systems.
- Sample risk rating and prioritization.
- Sample patch/change records.
- Review patch testing and rollback evidence.
- Review retest evidence.
- Review exceptions and risk acceptance.
- Review vulnerability metrics or management reporting.
Findings table
| System/finding | Expected evidence | Observed evidence | Gap | Finding type | Action owner |
|---|---|---|---|---|---|
| TBD | TBD | TBD | TBD | NC / observation / conforming | TBD |
- Template
- Audit
- Iso27001
- A8 8
Note Metadata
Aliases: A.8.8 Vulnerability Management Audit Checklist
Source: 90 Templates/A.8.8 Audit Checklist.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Related Notes
- A.8.8 Audit Evidence Pack
- Audit Evidence MOC
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Audit Risk Mapping
- Patch Testing and Rollback Checklist
- Vulnerability Exception and Risk Acceptance Record
- Vulnerability Management Procedure
- Vulnerability Register and Remediation Tracker
- Audit Evidence Index
- Templates MOC