ISO 27001:2022 Annex A Control 8.8 Explained

ISO 27001:2022 Annex A 8.8 – Management of Technical Vulnerabilities

ISO 27001:2022 Annex A Control 8.8 focuses on managing technical vulnerabilities by identifying risks, maintaining an asset inventory, assessing threats, and implementing mitigation measures to protect an organisation's ICT infrastructure. It emphasises proactive vulnerability management to strengthen information security.

See ISO 27002:2022 Control 8.8 for more information.
See ISO 27001:2013 Annex A 12.6.1 for more information.
See ISO 27001:2013 Annex A 18.2.3 for more information.

Purpose of ISO 27001:2022 Annex A 8.8

No computer network, system, piece of software, or device is entirely secure. Running a modern LAN or WAN entails vulnerabilities as part of the process, so it is essential for organisations to accept their presence and strive to reduce the potential risks.

ISO 27001:2022 Annex A 8.8 provides a wealth of advice to help organisations protect their networks against internal and external exploitation of vulnerabilities. It makes use of procedures and guidelines from several other ISO 27001:2022 Annex A Controls, particularly those for Change Management (see Annex A 8.32) and Access Control .

Ownership of Annex A 8.8

ISO 27001:2022 Annex A 8.8 addresses technical and administrative management of software, systems, and ICT assets. It prescribes a comprehensive approach for software management, asset management, and network security auditing.

The individual who holds ultimate responsibility for the upkeep of the organisation’s ICT infrastructure, such as the Head of IT or equivalent, should be the owner of ISO 27001:2022 Annex A 8.8.

ISMS.online gives you an 81% Headstart from the moment you log on

ISO 27001 made easy

We’ve done the hard work for you, giving you an 81% Headstart from the moment you log on. All you have to do is fill in the blanks.

Get started

Guidance on Identifying Vulnerabilities

Before carrying out vulnerability controls, it is essential to acquire a comprehensive and current list of physical and digital assets (refer to Annex A 5.9 and 5.14) owned and operated by the organisation.

Software asset data should comprise:

Version numbers currently in operation.
Where the software is deployed across the estate.
Vendor name.
Application name.

Organisations should strive to identify technical vulnerabilities by:

It is essential to clearly define who in the organisation is accountable for vulnerability management from a technical point of view, fulfilling its various functions, which include (but are not limited to):

Monitoring.
Updating.
Asset management.
Risk assessment.

Within the organisation, who is responsible for the software.
Keep a record of applications and tools to identify technical weaknesses.
Request suppliers and vendors to divulge any susceptibilities with new systems and hardware when providing them (as per Annex A 5.20 of ISO 27001:2022), and clearly specify as much in all applicable contracts and service agreements.
Employ vulnerability scanning tools and patching facilities.
Perform periodic, documented penetration tests, either by internal staff or by an authenticated third-party.
Be aware of the potential for underlying programmatic vulnerabilities when using third-party code libraries or source code (refer to ISO 27001:2022 Annex A 8.28).

Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.

Book your demo

Guidance on Public Activities

Organisations should create policies and procedures that detect vulnerabilities in all their products and services and get assessments of these vulnerabilities related to their supply.

ISO advises organisations to take action to identify any vulnerabilities, and to motivate third-parties to participate in vulnerability management activities by offering bounty programs (where potential exploits are sought and reported to the organisation in exchange for a reward).

Organisations should make themselves accessible to the public through forums, public email addresses, and research so they can harness the collective knowledge of the public to protect their products and services.

Organisations should review any remedial action taken, and consider releasing relevant information to affected individuals or organisations. Moreover, they should engage with specialist security organisations to spread knowledge of vulnerabilities and attack vectors.

Organisations should think about providing an optional automated update system that customers can choose to use or not, according to their business requirements.

Guidance on Evaluating Vulnerabilities

Accurate reporting is essential for ensuring prompt and effective corrective action when security risks are detected.

Organisations should assess vulnerabilities by:

Examine the reports thoroughly and determine what action is necessary, such as changing, updating, or eliminating impacted systems and/or equipment.
Reach a resolution that takes into account other ISO controls (especially those related to ISO 27001:2022) and acknowledges the level of risks.

Guidance on Counteracting Software Vulnerabilities

Software vulnerabilities can be effectively tackled using a proactive approach to software updates and patch management. Ensuring regular updates and patches can help protect your system from potential threats.

Organisations should take care to retain existing software versions before making any modifications, perform thorough tests on all modifications, and apply these to a designated copy of the software.

Once vulnerabilities are identified, organisations should take action to address them:

Aim to swiftly and effectively fix all security weaknesses.
Where feasible, observe the organisational protocols on Change Management (see ISO 27001:2022 Annex A 8.32) and Incident Handling (see ISO 27001:2022 Annex A 5.26).
Only apply patches and updates from reliable, certified sources, especially for third-party vendor software and equipment:

Organisations should evaluate the data at hand to decide whether it is essential to apply automatic updates (or components of them) to purchased software and hardware.

Before installing, test any updates to prevent any unanticipated problems in a live environment.
Give top priority to tackling high-risk and vital business systems.
Ensure remedial actions are successful and genuine.

In the event of no update being available, or any hindrances to installing one (e.g. cost-related), organisations ought to contemplate other methods, like:

Requesting guidance from the vendor on a temporary fix while remedial efforts are intensified.
Turn off any network services that are impacted by the vulnerability.
Implementing security controls at key gateways, such as traffic regulations and filters, to protect the network.
Step up surveillance in proportion to the associated risk.
Make sure all concerned parties are aware of the flaw, including vendors and purchasers.
Delay the update and evaluate the risks, particularly noting any potential operational costs.

Accompanying Annex A Controls

ISO 27001:2022 Annex A 5.14
ISO 27001:2022 Annex A 5.20
ISO 27001:2022 Annex A 5.9
ISO 27001:2022 Annex A 8.20
ISO 27001:2022 Annex A 8.22
ISO 27001:2022 Annex A 8.28

ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.

Book your demo

Supplementary Guidance on Annex A 8.8

Organisations should maintain an audit trail of all pertinent vulnerability management activities to assist with corrective action and advance protocols in case of a security breach.

Periodically assessing and reviewing the entire vulnerability management process is a great way to enhance performance and proactively identify any vulnerabilities.

If the organisation employs a cloud service provider, they should ensure the provider’s approach to vulnerability management is compatible with their own and should be included in the binding service agreement between both parties, including any reporting procedures (see ISO 27001:2022 Annex A 5.32).

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.8 supersedes two Annex A Controls from ISO 27001:2013, these are:

12.6.1 – Management of technical vulnerabilities
18.2.3 – Technical compliance review

ISO 27001:2022 Annex A 8.8 introduces a new, distinct approach to vulnerability management than that found in ISO 27001:2013. It is a noteworthy divergence from the prior standard.

ISO 27001:2013 Annex A 12.6.1 mainly focused on putting corrective measures in place once a vulnerability is detected, whereas Annex A 18.2.3 only applies to technical means (largely penetration testing).

ISO 27001:2022 Annex A 8.8 introduces new sections dealing with an organisation’s public responsibilities, methods for recognising vulnerabilities, and the part cloud providers play in keeping vulnerabilities at a minimum.

ISO 27001:2022 places strong emphasis on the role of vulnerability management in other areas (such as change management) and encourages taking a holistic approach, incorporating several other controls and information security processes.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

ISO 27001:2022 Organisational Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
Organisational Controls	Annex A 5.1	Annex A 5.1.1 Annex A 5.1.2	Policies for Information Security
Organisational Controls	Annex A 5.2	Annex A 6.1.1	Information Security Roles and Responsibilities
Organisational Controls	Annex A 5.3	Annex A 6.1.2	Segregation of Duties
Organisational Controls	Annex A 5.4	Annex A 7.2.1	Management Responsibilities
Organisational Controls	Annex A 5.5	Annex A 6.1.3	Contact With Authorities
Organisational Controls	Annex A 5.6	Annex A 6.1.4	Contact With Special Interest Groups
Organisational Controls	Annex A 5.7	NEW	Threat Intelligence
Organisational Controls	Annex A 5.8	Annex A 6.1.5 Annex A 14.1.1	Information Security in Project Management
Organisational Controls	Annex A 5.9	Annex A 8.1.1 Annex A 8.1.2	Inventory of Information and Other Associated Assets
Organisational Controls	Annex A 5.10	Annex A 8.1.3 Annex A 8.2.3	Acceptable Use of Information and Other Associated Assets
Organisational Controls	Annex A 5.11	Annex A 8.1.4	Return of Assets
Organisational Controls	Annex A 5.12	Annex A 8.2.1	Classification of Information
Organisational Controls	Annex A 5.13	Annex A 8.2.2	Labelling of Information
Organisational Controls	Annex A 5.14	Annex A 13.2.1 Annex A 13.2.2 Annex A 13.2.3	Information Transfer
Organisational Controls	Annex A 5.15	Annex A 9.1.1 Annex A 9.1.2	Access Control
Organisational Controls	Annex A 5.16	Annex A 9.2.1	Identity Management
Organisational Controls	Annex A 5.17	Annex A 9.2.4 Annex A 9.3.1 Annex A 9.4.3	Authentication Information
Organisational Controls	Annex A 5.18	Annex A 9.2.2 Annex A 9.2.5 Annex A 9.2.6	Access Rights
Organisational Controls	Annex A 5.19	Annex A 15.1.1	Information Security in Supplier Relationships
Organisational Controls	Annex A 5.20	Annex A 15.1.2	Addressing Information Security Within Supplier Agreements
Organisational Controls	Annex A 5.21	Annex A 15.1.3	Managing Information Security in the ICT Supply Chain
Organisational Controls	Annex A 5.22	Annex A 15.2.1 Annex A 15.2.2	Monitoring, Review and Change Management of Supplier Services
Organisational Controls	Annex A 5.23	NEW	Information Security for Use of Cloud Services
Organisational Controls	Annex A 5.24	Annex A 16.1.1	Information Security Incident Management Planning and Preparation
Organisational Controls	Annex A 5.25	Annex A 16.1.4	Assessment and Decision on Information Security Events
Organisational Controls	Annex A 5.26	Annex A 16.1.5	Response to Information Security Incidents
Organisational Controls	Annex A 5.27	Annex A 16.1.6	Learning From Information Security Incidents
Organisational Controls	Annex A 5.28	Annex A 16.1.7	Collection of Evidence
Organisational Controls	Annex A 5.29	Annex A 17.1.1 Annex A 17.1.2 Annex A 17.1.3	Information Security During Disruption
Organisational Controls	Annex A 5.30	NEW	ICT Readiness for Business Continuity
Organisational Controls	Annex A 5.31	Annex A 18.1.1 Annex A 18.1.5	Legal, Statutory, Regulatory and Contractual Requirements
Organisational Controls	Annex A 5.32	Annex A 18.1.2	Intellectual Property Rights
Organisational Controls	Annex A 5.33	Annex A 18.1.3	Protection of Records
Organisational Controls	Annex A 5.34	Annex A 18.1.4	Privacy and Protection of PII
Organisational Controls	Annex A 5.35	Annex A 18.2.1	Independent Review of Information Security
Organisational Controls	Annex A 5.36	Annex A 18.2.2 Annex A 18.2.3	Compliance With Policies, Rules and Standards for Information Security
Organisational Controls	Annex A 5.37	Annex A 12.1.1	Documented Operating Procedures

ISO 27001:2022 People Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
People Controls	Annex A 6.1	Annex A 7.1.1	Screening
People Controls	Annex A 6.2	Annex A 7.1.2	Terms and Conditions of Employment
People Controls	Annex A 6.3	Annex A 7.2.2	Information Security Awareness, Education and Training
People Controls	Annex A 6.4	Annex A 7.2.3	Disciplinary Process
People Controls	Annex A 6.5	Annex A 7.3.1	Responsibilities After Termination or Change of Employment
People Controls	Annex A 6.6	Annex A 13.2.4	Confidentiality or Non-Disclosure Agreements
People Controls	Annex A 6.7	Annex A 6.2.2	Remote Working
People Controls	Annex A 6.8	Annex A 16.1.2 Annex A 16.1.3	Information Security Event Reporting

ISO 27001:2022 Physical Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
Physical Controls	Annex A 7.1	Annex A 11.1.1	Physical Security Perimeters
Physical Controls	Annex A 7.2	Annex A 11.1.2 Annex A 11.1.6	Physical Entry
Physical Controls	Annex A 7.3	Annex A 11.1.3	Securing Offices, Rooms and Facilities
Physical Controls	Annex A 7.4	NEW	Physical Security Monitoring
Physical Controls	Annex A 7.5	Annex A 11.1.4	Protecting Against Physical and Environmental Threats
Physical Controls	Annex A 7.6	Annex A 11.1.5	Working In Secure Areas
Physical Controls	Annex A 7.7	Annex A 11.2.9	Clear Desk and Clear Screen
Physical Controls	Annex A 7.8	Annex A 11.2.1	Equipment Siting and Protection
Physical Controls	Annex A 7.9	Annex A 11.2.6	Security of Assets Off-Premises
Physical Controls	Annex A 7.10	Annex A 8.3.1 Annex A 8.3.2 Annex A 8.3.3 Annex A 11.2.5	Storage Media
Physical Controls	Annex A 7.11	Annex A 11.2.2	Supporting Utilities
Physical Controls	Annex A 7.12	Annex A 11.2.3	Cabling Security
Physical Controls	Annex A 7.13	Annex A 11.2.4	Equipment Maintenance
Physical Controls	Annex A 7.14	Annex A 11.2.7	Secure Disposal or Re-Use of Equipment

ISO 27001:2022 Technological Controls

Annex A Control Type	ISO/IEC 27001:2022 Annex A Identifier	ISO/IEC 27001:2013 Annex A Identifier	Annex A Name
Technological Controls	Annex A 8.1	Annex A 6.2.1 Annex A 11.2.8	User Endpoint Devices
Technological Controls	Annex A 8.2	Annex A 9.2.3	Privileged Access Rights
Technological Controls	Annex A 8.3	Annex A 9.4.1	Information Access Restriction
Technological Controls	Annex A 8.4	Annex A 9.4.5	Access to Source Code
Technological Controls	Annex A 8.5	Annex A 9.4.2	Secure Authentication
Technological Controls	Annex A 8.6	Annex A 12.1.3	Capacity Management
Technological Controls	Annex A 8.7	Annex A 12.2.1	Protection Against Malware
Technological Controls	Annex A 8.8	Annex A 12.6.1 Annex A 18.2.3	Management of Technical Vulnerabilities
Technological Controls	Annex A 8.9	NEW	Configuration Management
Technological Controls	Annex A 8.10	NEW	Information Deletion
Technological Controls	Annex A 8.11	NEW	Data Masking
Technological Controls	Annex A 8.12	NEW	Data Leakage Prevention
Technological Controls	Annex A 8.13	Annex A 12.3.1	Information Backup
Technological Controls	Annex A 8.14	Annex A 17.2.1	Redundancy of Information Processing Facilities
Technological Controls	Annex A 8.15	Annex A 12.4.1 Annex A 12.4.2 Annex A 12.4.3	Logging
Technological Controls	Annex A 8.16	NEW	Monitoring Activities
Technological Controls	Annex A 8.17	Annex A 12.4.4	Clock Synchronization
Technological Controls	Annex A 8.18	Annex A 9.4.4	Use of Privileged Utility ProgramsAccess Rights
Technological Controls	Annex A 8.19	Annex A 12.5.1 Annex A 12.6.2	Installation of Software on Operational Systems
Technological Controls	Annex A 8.20	Annex A 13.1.1	Networks Security
Technological Controls	Annex A 8.21	Annex A 13.1.2	Security of Network Services
Technological Controls	Annex A 8.22	Annex A 13.1.3	Segregation of Networks
Technological Controls	Annex A 8.23	NEW	Web filtering
Technological Controls	Annex A 8.24	Annex A 10.1.1 Annex A 10.1.2	Use of Cryptography
Technological Controls	Annex A 8.25	Annex A 14.2.1	Secure Development Life Cycle
Technological Controls	Annex A 8.26	Annex A 14.1.2 Annex A 14.1.3	Application Security Requirements
Technological Controls	Annex A 8.27	Annex A 14.2.5	Secure System Architecture and Engineering PrinciplesLearning From Information Security Incidents
Technological Controls	Annex A 8.28	NEW	Secure Coding
Technological Controls	Annex A 8.29	Annex A 14.2.8 Annex A 14.2.9	Security Testing in Development and Acceptance
Technological Controls	Annex A 8.30	Annex A 14.2.7	Outsourced Development
Technological Controls	Annex A 8.31	Annex A 12.1.4 Annex A 14.2.6	Separation of Development, Test and Production Environments
Technological Controls	Annex A 8.32	Annex A 12.1.2 Annex A 14.2.2 Annex A 14.2.3 Annex A 14.2.4	Change Management
Technological Controls	Annex A 8.33	Annex A 14.3.1	Test Information
Technological Controls	Annex A 8.34	Annex A 12.7.1	Protection of Information Systems During Audit Testing

How ISMS.online Help

Our platform is user-friendly and straightforward. It’s meant for everyone in the organisation, not just tech-savvy people. We recommend involving personnel from all levels of the business in constructing your ISMS as this helps create a system that will last.

Get in contact now to arrange a demonstration.

ISO 27001:2022 Requirements

ISO 27001:2022 Annex A Controls

About ISO 27001

ISO 27001:2022 Annex A 8.8 – Management of Technical Vulnerabilities

Purpose of ISO 27001:2022 Annex A 8.8

Ownership of Annex A 8.8

An 81% Headstart from day one

Guidance on Identifying Vulnerabilities

Free yourself from a mountain of spreadsheets

Guidance on Public Activities

Guidance on Evaluating Vulnerabilities

Guidance on Counteracting Software Vulnerabilities

Accompanying Annex A Controls

Manage all your compliance, all in one place

Supplementary Guidance on Annex A 8.8

Changes and Differences from ISO 27001:2013

Table of All ISO 27001:2022 Annex A Controls

How ISMS.online Help

Jump to topic

Sam Peters

ISO 27001:2022 Requirements

4.1 Understanding the organisation and its context

4.2 Understanding the needs and expectations of interested parties

4.3 Determining the scope of the ISMS

4.4 Information security management system (ISMS)

5.1 Leadership and commitment

5.2 Information Security Policy

5.3 Organisational roles, responsibilities and authorities

6.1 Actions to address risks and opportunities

6.2 Information security objectives and planning to achieve them

7.1 Resources

7.2 Competence

7.3 Awareness

7.4 Communication

7.5 Documented information

8.1 Operational planning and control

8.2 Information security risk assessment

8.3 Information security risk treatment

9.1 Monitoring, measurement, analysis and evaluation

9.2 Internal audit

9.3 Management review

10.1 Continual improvement

10.2 Nonconformity and corrective action

ISO 27001:2022 Annex A Controls

Organisational Controls

A 5.1 Information Security Policies

A 5.2 Information Security Roles and Responsibilities

A 5.3 Segregation of Duties

A 5.4 Management Responsibilities

A 5.5 Contact With Government Authorities

A 5.6 Contact With Special Interest Groups

A 5.7 Threat Intelligence

A 5.8 Information Security in Project Management

A 5.9 Inventory of Information and Other Associated Assets

A 5.10 Acceptable Use of Information and Other Associated Assets

A 5.11 Return of Assets

A 5.12 Classification of Information

A 5.13 Labelling of Information

A 5.14 Information Transfer

A 5.15 Access Control

A 5.16 Identity Management

A 5.17 Authentication Information

A 5.18 Access Rights

A 5.19 Information Security in Supplier Relationships

A 5.20 Addressing Information Security Within Supplier Agreements

A 5.21 Managing Information Security in the ICT Supply Chain

A 5.22 Monitoring and Review and Change Management of Supplier Services

A 5.23 Information Security for Use of Cloud Services

A 5.24 Information Security Incident Management Planning and Preparation

A 5.25 Assessment and Decision on Information Security Events

A 5.26 Response to Information Security Incidents

A 5.27 Learning From Information Security Incidents

A 5.28 Collection of Evidence

A 5.29 Information Security During Disruption

A 5.30 ICT Readiness for Business Continuity

A 5.31 Legal, Statutory, Regulatory and Contractual Requirements

A 5.3 Intellectual Property Rights

A 5.33 Protection of Records

A 5.34 Privacy and Protection of PII

A 5.35 Independent Review of Information Security

A 5.36 Compliance With Policies, Rules and Standards for Information Security

A 5.37 Documented Operating Procedures

People Controls