ISO 27001:2022 introduced a completely restructured Annex A, reducing 114 controls to 93 and adding 11 new controls. Control A.8.8 โ "Management of technical vulnerabilities" โ is one of the most consistently tested controls in certification audits because it requires demonstrable operational practice, not just a written policy.
This guide explains what A.8.8 requires, how auditors assess it, and the specific evidence you need to produce to pass a certification or surveillance audit without findings.
What ISO 27001 A.8.8 actually requires
The full control text reads: "Information about technical vulnerabilities of information systems in use should be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk."
The supporting ISO 27002:2022 guidance (which auditors use to interpret A.8.8) breaks this into five operational requirements:
Inventory and discovery
Maintain a complete, accurate inventory of software components, versions, and configurations. You cannot assess vulnerabilities for assets you do not know exist. ISO 27002 explicitly mentions that this includes cloud services and open-source components.
Timely intelligence gathering
Subscribe to vendor security bulletins, CVE feeds, and threat intelligence sources relevant to your technology stack. "Timely" is interpreted by auditors as automated, continuous monitoring โ not manual checking.
Risk assessment per finding
Each identified vulnerability must be assessed for risk in your specific context. A CVSS score alone is insufficient. You must consider asset criticality, exposure, compensating controls, and business impact.
Remediation with defined timelines
Document and apply SLAs for remediation based on risk rating. Where immediate remediation is not possible, document a compensating control or formal risk acceptance with a named approver and review date.
Audit trail and reporting
Maintain records of all identified vulnerabilities, assessments, remediation actions, and risk decisions. Auditors will sample these records. The trail must demonstrate continuous operation, not just activity before the audit.
How auditors test A.8.8
ISO 27001 auditors are required to verify that controls are not just documented but operationally effective. For A.8.8, expect the auditor to request and review:
Vulnerability management policy
Must define scope, roles, scanning frequency, SLA tiers, and escalation procedures. Must be approved by management and reviewed at least annually.
Evidence of recent scanning
Scan reports from the past 3โ6 months showing coverage of in-scope systems. Auditors may check timestamps to verify continuous operation.
Open and closed finding records
A sample of vulnerabilities found, risk-assessed, remediated (or risk-accepted), and closed. Auditors will trace 5โ10 items end-to-end.
SLA compliance metrics
What percentage of findings were remediated within policy SLAs? Auditors expect a target and will flag persistent SLA breaches as findings.
Risk acceptance records
Any vulnerability not remediated within SLA must have a documented risk acceptance: description, residual risk, approver, compensating controls, and review date.
Evidence of intelligence subscriptions
Show that your organisation is actively receiving and acting on CVE/vendor advisory feeds โ not passively waiting for vulnerabilities to be discovered.
Most common A.8.8 non-conformities
Incomplete asset coverage
Scanner configured for core servers but missing SaaS applications, cloud workloads, or developer laptops.
No SLAs defined or measured
Policy says "critical vulnerabilities are patched promptly" with no numeric target. Auditors treat this as a gap.
Risk acceptance not documented
Vulnerabilities left open with no formal acceptance, no approver named, and no compensating controls recorded.
Stale scan data
Last scan was 6 months ago. Policy says monthly scanning. Surveillance auditor notes the discrepancy as a non-conformity.
Open-source / third-party gap
Application vulnerability scanning covers custom code but not the 200+ open-source libraries in the dependency tree.
Audit evidence checklist
Common questions
Is A.8.8 a mandatory control or can it be excluded?
In ISO 27001:2022, all Annex A controls are mandatory unless a Statement of Applicability (SoA) formally excludes them with documented justification. It is extremely difficult to justify excluding A.8.8 for any organisation that operates IT systems โ auditors will challenge any such exclusion.
How often does A.8.8 require vulnerability scanning?
The standard does not specify a frequency. ISO 27002 guidance says "timely" โ which auditors interpret as continuous or at minimum monthly for critical systems. Quarterly scanning typically results in a finding at certification stage.
Does A.8.8 cover cloud infrastructure?
Yes. ISO 27002:2022 guidance explicitly includes cloud services and IaaS/PaaS/SaaS components as in scope for A.8.8. Your ISMS scope definition and asset inventory must reflect this.
How does Centraleyezer help with A.8.8 evidence?
Centraleyezer maintains continuous, timestamped vulnerability records; SLA tracking; risk acceptance registers; and exports of the vulnerability evidence ISO 27001 auditors expect for A.8.8 โ your ISMS team uses these as inputs into the certification documentation.