Annex A 8.8 verified ISO/IEC 27001:2022
Management of Technical Vulnerabilities
Identify and address software vulnerabilities to prevent exploitation and security risks.
record_voice_over
Plain language
This control is about regularly checking for weaknesses in your computer systems and fixing them before they can be used to cause harm. If you ignore these vulnerabilities, hackers might exploit them to steal information or disrupt your operations.
01 — Overview
Framework
ISO/IEC 27001:2022
Control effect
Preventative
ISO 27001 domain
Technological controls
Classifications
N/A
Official last update
24 Oct 2022
Control Stack last updated
30 Mar 2026
Maturity levels
N/A
Official control statement
Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
verified ISO/IEC 27001:2022 Annex A 8.8
priority_high
Why it matters
Ignoring software vulnerabilities can lead to data breaches or service interruptions due to unpatched weaknesses in IT systems.
settings
Operational notes
Regularly update asset inventories and monitor for vendor vulnerability alerts to maintain security over time.
02 — Implement
build
Implementation tips
- The IT manager should create an up-to-date list of all software used in the organisation. Keep track of software versions and updates, and ensure someone is responsible for monitoring them.
- The cybersecurity team should use reliable tools to regularly scan for known weaknesses in your software. Choose tools that match the software you use, and scan consistently to detect vulnerabilities early.
-
Askvendors how they report vulnerabilities and ensure it''s included in their service agreement
- Authorised IT personnel should conduct planned vulnerability tests on systems to check for weak spots. Ensure these tests are documented and performed by trained individuals to avoid security issues.
- The security officer should develop a procedure for applying software updates promptly. Coordinate this with change management processes to minimise disruption and test updates before deployment.
03 — Audit
fact_check
Audit / evidence tips
-
AskRequest the asset inventory list detailing software and versions.
Look atCheck if the inventory includes software names, version numbers, and the responsible person per software.
GoodA comprehensive and current list showing all software in use, with clear responsibility assignments.
-
AskRequest records of vulnerability scans conducted.
Look atVerify the regularity and scope of scans and check for any big gaps between scans.
GoodConsistent and complete records showing regular scans with few gaps, covering all critical systems.
-
AskSee the procedure for managing purchased software vulnerabilities.
Look atReview the contract clauses about vendor responsibilities for vulnerability updates and disclosures.
GoodContracts include clear clauses that require vendors to inform you of vulnerabilities in a timely manner.
-
AskRequest documentation for vulnerability assessment and testing.
Look atCheck that tests are performed regularly and are conducted by qualified personnel.
GoodDocumentation showing routine, documented testing by trained personnel, following a set schedule.
-
AskExamine the process for applying and testing software updates.
Look atLook at how update timelines are set and how testing minimises disruption.
GoodA clear, documented process that timely implements and tests each update with minimal impact on operations.
04 — Mappings
link
Cross-framework mappings
How Annex A 8.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (18) expand_less | ||
| handshake Supports (5) expand_less | ||
ASD ISM
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (31) expand_less | ||
| ISM-0298 | ISM-0298 mandates centralised patch management with integrity and successful application verification | |
| ISM-1316 | ISM-1316 requires changing default wireless SSIDs to avoid insecure default configurations on access points | |
| ISM-1366 | ISM-1366 requires security updates to be applied to mobile devices as soon as they become available | |
| ISM-1501 | ISM-1501 requires operating systems that are no longer supported by vendors to be replaced | |
| ISM-1606 | ISM-1606 requires timely remediation of vulnerabilities by applying patches, updates or vendor mitigations to software-based isolation me... | |
| ISM-1622 | ISM-1622 requires a specific hardening configuration: PowerShell must use Constrained Language Mode | |
| ISM-1690 | ISM-1690 requires a specific patching outcome: apply non-critical patches for online services within two weeks when no working exploits e... | |
| ISM-1691 | ISM-1691 sets a specific, time-bound requirement to apply vendor patches/mitigations for vulnerabilities in common productivity and secur... | |
| ISM-1692 | ISM-1692 requires a specific, time-bound response: applying critical patches for defined application categories within 48 hours when vend... | |
| ISM-1693 | ISM-1693 requires a specific remediation action: applying patches/updates/vendor mitigations for certain applications within one month of... | |
| ISM-1694 | ISM-1694 requires a specific patching outcome: non-critical OS vulnerabilities on internet-facing servers and network devices are remedia... | |
| ISM-1695 | ISM-1695 requires organisations to apply OS security patches for non-internet-facing workstations, servers and network devices within one... | |
| ISM-1696 | ISM-1696 requires a specific technical vulnerability treatment outcome: applying critical OS patches within 48 hours for defined non-inte... | |
| ISM-1697 | ISM-1697 requires applying vendor-provided mitigations for non-critical driver vulnerabilities within one month where no working exploits... | |
| ISM-1698 | ISM-1698 requires organisations to use a vulnerability scanner at least daily to identify missing patches or updates for vulnerabilities ... | |
| ISM-1701 | ISM-1701 requires a specific operational practice: daily vulnerability scanning to find missing OS patches on internet-facing servers and... | |
| ISM-1702 | ISM-1702 requires a specific operational practice: running a vulnerability scanner at least fortnightly to identify missing operating sys... | |
| ISM-1703 | ISM-1703 requires a specific operational practice: using a vulnerability scanner at least fortnightly to identify missing patches or upda... | |
| ISM-1751 | ISM-1751 requires a specific patching outcome: non-critical vendor OS vulnerabilities (with no working exploits) on certain IT equipment ... | |
| ISM-1752 | ISM-1752 requires organisations to perform a specific, measurable activity: fortnightly vulnerability scanning to identify missing operat... | |
| ISM-1754 | ISM-1754 requires vulnerabilities identified in software to be resolved in a timely manner | |
| ISM-1808 | ISM-1808 requires a specific technical measure: using a vulnerability scanner with an up-to-date vulnerability database for scanning acti... | |
| ISM-1829 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), removing a known weak credential storage mechanism in ... | |
| ISM-1876 | ISM-1876 requires critical patches or vendor mitigations for online services to be applied within 48 hours when vendors rate vulnerabilit... | |
| ISM-1877 | ISM-1877 requires a specific remediation outcome: applying critical vendor patches/mitigations to internet-facing operating systems withi... | |
| ISM-1878 | ISM-1878 requires critical OS patches to be applied within 48 hours for certain categories of IT equipment when vendors rate vulnerabilit... | |
| ISM-1879 | ISM-1879 requires a specific, time-bound action: applying patches, updates or mitigations for critical driver vulnerabilities within 48 h... | |
| ISM-1900 | ISM-1900 requires a specific operational practice: using a vulnerability scanner at least fortnightly to identify missing firmware patche... | |
| ISM-1901 | ISM-1901 requires a specific vulnerability treatment action: applying non-critical patches within two weeks for a defined set of high-ris... | |
| ISM-1905 | ISM-1905 requires removal of vendor-unsupported online services to reduce risk from vulnerabilities that can no longer be remediated | |
| ISM-2054 | ISM-2054 requires that, where an SBOM exists for imported third-party software components, it is used during development to ensure those ... | |
| sync_alt Partially overlaps (7) expand_less | ||
| ISM-0912 | Annex A 8.8 requires organisations to manage security configuration in response to technical vulnerabilities by assessing exposure and ap... | |
| ISM-1163 | ISM-1163 requires continuous monitoring including regular vulnerability assessments | |
| ISM-1616 | ISM-1616 requires organisations to implement a vulnerability disclosure program so external and internal researchers can report product/s... | |
| ISM-1717 | Annex A 8.8 requires organisations to obtain information about technical vulnerabilities and take measures to reduce exposure | |
| ISM-1756 | Annex A 8.8 requires obtaining information on technical vulnerabilities, evaluating exposure, and taking appropriate measures to address ... | |
| ISM-1809 | ISM-1809 requires compensating controls to be implemented when unsupported applications, operating systems or devices cannot be removed o... | |
| ISM-1913 | ISM-1913 requires approved configurations for IT equipment to be developed, implemented and maintained | |
| handshake Supports (16) expand_less | ||
| ISM-0290 | ISM-0290 requires high assurance IT equipment to be configured and operated in an evaluated configuration following ASD guidance | |
| ISM-1143 | ISM-1143 requires organisations to develop and maintain patch management processes and procedures to ensure patches are applied in a cont... | |
| ISM-1211 | Annex A 8.8 requires organisations to evaluate exposure to technical vulnerabilities and apply appropriate measures, which often includes... | |
| ISM-1246 | Annex A 8.8 supports ISM-1246 by establishing governance to identify, assess, and treat technical vulnerabilities, which encourages apply... | |
| ISM-1424 | ISM-1424 requires web servers to be configured to emit protective response headers that reduce client-side attack surface and enforce sec... | |
| ISM-1483 | ISM-1483 requires internet-facing server applications to be kept on their latest release to address known vulnerabilities | |
| ISM-1605 | ISM-1605 requires hardening of the underlying operating system that hosts software-based isolation (e.g., hypervisor/host OS) to protect ... | |
| ISM-1634 | ISM-1634 requires system owners and authorising officers to select and tailor controls to achieve system-specific security and resilience... | |
| ISM-1643 | ISM-1643 requires maintaining registers of software versions and patch histories across applications, drivers, operating systems and firm... | |
| ISM-1659 | ISM-1659 requires organisations to implement Microsoft’s Vulnerable Driver Blocklist as a specific technical measure to reduce exposure t... | |
| ISM-1704 | ISM-1704 requires removing specific categories of unsupported software to reduce known and unpatched exposure | |
| ISM-1745 | ISM-1745 requires enabling defined security features (ELAM, Secure Boot, Trusted Boot and Measured Boot) to harden systems at startup | |
| ISM-1755 | ISM-1755 requires organisations to develop, implement and maintain a vulnerability disclosure policy for receiving and handling reported ... | |
| ISM-1848 | ISM-1848 demands replacement of unsupported server isolation or OS components to avoid vulnerabilities | |
| ISM-1931 | ISM-1931 necessitates SID Filtering to be enabled to mitigate the risk of privilege escalation across trust relationships | |
| ISM-1956 | ISM-1956 mandates scheduled and event-driven rotation of AD FS token-signing and encryption certificates to mitigate compromised federati... | |
| link Related (7) expand_less | ||
| ISM-0300 | Annex A 8.8 requires the organisation to obtain vulnerability information, assess exposure and apply appropriate treatments, including pa... | |
| ISM-1635 | ISM-1635 requires system owners to implement controls to protect systems and their environments | |
| ISM-1903 | Annex A 8.8 requires obtaining vulnerability information, evaluating exposure and applying mitigations such as patching to reduce risk | |
| ISM-1904 | Annex A 8.8 requires the organisation to obtain information on technical vulnerabilities, assess exposure, and take appropriate measures ... | |
| ISM-1914 | Annex A 8.8 requires obtaining vulnerability information, evaluating exposure and implementing measures including secure configuration of... | |
| ISM-1915 | Annex A 8.8 requires organisations to manage security configuration by identifying technical vulnerabilities, evaluating exposure and imp... | |
| ISM-1916 | Annex A 8.8 requires managing security configuration as part of reducing exposure to technical vulnerabilities | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.