A.8.8 — Is technical vulnerability management mature: scanning, prioritisation, SLAs, patching cadence?
Demonstrate that the organization operates a mature vulnerability management program with defined scanning coverage, risk-based prioritization methodology, documented remediation SLAs tied to severity levels, and consistent patching execution.
Description
What this control does
Technical vulnerability management is a systematic process for identifying, assessing, prioritizing, and remediating security vulnerabilities across IT assets. It encompasses automated vulnerability scanning, risk-based prioritization using scoring systems (CVSS, EPSS), defined service level agreements for remediation timelines based on severity, and coordinated patch deployment cadences. Effective programs integrate vulnerability data with asset inventories, track remediation progress through closure, and continuously improve based on metrics and threat intelligence.
Control objective
What auditing this proves
Demonstrate that the organization operates a mature vulnerability management program with defined scanning coverage, risk-based prioritization methodology, documented remediation SLAs tied to severity levels, and consistent patching execution.
Associated risks
Risks this control addresses
- Exploitation of unpatched critical vulnerabilities by threat actors leading to unauthorized system access or data breach
- Zero-day or n-day exploits targeting known vulnerabilities that remain unpatched beyond acceptable timeframes
- Incomplete asset visibility resulting in unscanned systems harboring exploitable weaknesses
- Ineffective prioritization causing remediation resources to address low-risk issues while critical vulnerabilities persist
- Missed SLA deadlines enabling attacker dwell time sufficient for lateral movement or data exfiltration
- Operational disruption from uncoordinated emergency patching following active exploitation announcements
- Compliance violations and regulatory penalties due to failure to remediate vulnerabilities within mandated timeframes
Testing procedure
How an auditor verifies this control
- Obtain and review the vulnerability management policy, procedure documentation, and remediation SLA definitions to understand the documented program structure and timelines.
- Request the current asset inventory and compare it against scanning tool configurations to verify coverage across all in-scope systems, networks, applications, and cloud environments.
- Export vulnerability scan results from the past 90 days and verify scanning frequency meets policy requirements for different asset classes (e.g., weekly for critical systems, monthly for non-critical).
- Select a sample of 15-20 vulnerabilities across severity levels (critical, high, medium, low) discovered within the review period and trace each through prioritization, assignment, remediation, and validation workflows.
- Review the prioritization methodology documentation and verify it incorporates CVSS scores, exploitability metrics, asset criticality, threat intelligence, and compensating controls in risk assessments.
- Compare actual remediation completion dates against defined SLAs for the sampled vulnerabilities to calculate adherence rates and identify any breaches with documented exception approvals.
- Examine patch management records for the past quarter to verify scheduled patching cadences occur as defined and emergency patching procedures exist for zero-day or actively exploited vulnerabilities.
- Interview vulnerability management staff to assess process maturity, tool integration with CMDB/asset management systems, metrics reporting to leadership, and continuous improvement mechanisms.