Vulnerability scans verify patch state
Demonstrate that vulnerability scanning tools accurately identify missing patches and validate successful patch deployment across all in-scope systems.
Description
What this control does
This control validates that automated vulnerability scanning tools accurately detect and report the patch status of operating systems and applications across the organization's asset inventory. Scanners compare installed software versions against vulnerability databases and vendor security bulletins to identify missing patches, outdated software, and vulnerable configurations. By cross-referencing scan results with patch management records, the organization confirms that vulnerability assessments reliably inform remediation priorities and that deployed patches are correctly detected post-installation.
Control objective
What auditing this proves
Demonstrate that vulnerability scanning tools accurately identify missing patches and validate successful patch deployment across all in-scope systems.
Associated risks
Risks this control addresses
- Unpatched systems remain exploitable due to scanner misconfigurations or incomplete asset coverage, allowing attackers to exploit known vulnerabilities
- False negatives in vulnerability scans create a false sense of security, leaving critical systems exposed to documented CVEs
- Scanners fail to authenticate properly or lack necessary privileges, resulting in surface-level scans that miss installed patches or internal vulnerabilities
- Patch deployment verification fails because scanners do not re-scan systems post-remediation, allowing vulnerable configurations to persist undetected
- Outdated vulnerability feeds or scanner software prevent detection of newly disclosed vulnerabilities, creating a lag in threat awareness
- Credential rotation or network segmentation prevents scanners from reaching critical systems, creating blind spots in vulnerability visibility
- Discrepancies between patch management system records and actual system state go undetected, undermining compliance reporting and risk assessments
Testing procedure
How an auditor verifies this control
- Obtain the current vulnerability scanner configuration, including scan schedules, credential sets, target asset groups, and authenticated scan settings.
- Select a representative sample of systems across different asset types (servers, workstations, network devices) and operating systems from the most recent scan results.
- For each sampled system, compare vulnerability scan output against the organization's patch management database or change control records to verify consistency in reported patch levels.
- Manually inspect at least three sampled systems by directly querying installed software versions and patch states using native OS commands or inventory tools.
- Cross-reference identified vulnerabilities from scan reports with published CVE databases and vendor security advisories to confirm scanner accuracy and currency of vulnerability feeds.
- Review scanner authentication logs and scan completion reports to verify successful credential-based scans and identify any systems where authentication failed or scans were incomplete.
- Identify a recently patched system from patch management records, retrieve the corresponding pre-patch and post-patch vulnerability scan reports, and confirm the scanner detected patch installation and removed the associated vulnerability findings.
- Validate that scanner vulnerability feeds are updated automatically and review update logs for the past 90 days to confirm continuous synchronization with current threat intelligence.
Where this control is tested