Control 8.8 : Management of Technical Vulnerabilities

Summary

Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated, and appropriate measures should be taken.

Applicability

In-Scope: Mandatory for all organizations. Rapidly identifying and patching vulnerabilities is the primary defense against exploited software flaws and zero-day attacks.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Vulnerability Discovery: Use Microsoft Defender Vulnerability Management to continuously scan all managed endpoints for known software flaws and misconfigurations.

• Prioritization: Utilize the Security Recommendations dashboard to prioritize patches based on the severity of the vulnerability and the business value of the impacted asset.

• Remediation: Automate the deployment of security patches for Windows and common third-party applications using Microsoft Intune and Windows Update for Business.

Evidence Checklist

• Vulnerability Management Policy: A documented process defining the timelines for evaluating and patching critical vs. low-risk vulnerabilities.

• Scanning Reports: Evidence of regular vulnerability assessments showing the current exposure score.

• Patching Records: Logs from Intune or Defender proving that high-priority security updates were applied within the required timeframe.

Practical Audit Advice

Here are some questions the auditor might ask:

• What is the organization's maximum time-to-patch for a vulnerability with a Critical CVSS score?

• How do you identify vulnerabilities in legacy software or devices that do not support automated patching?

• What is the process for testing a security patch before it is deployed to the entire production environment?

• Can you demonstrate how you track and manage zero-day vulnerabilities for which no official patch has been released yet?