https://community.isc2.org/t5/Tech-Talk/SOC-Audit-Vulnerability-Management/m-p/19919#M947 <P>Thank you <a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/636057953">@Rick_Roach</a>&nbsp;</P> Fri, 08 Mar 2019 18:37:48 GMT SafiR 2019-03-08T18:37:48Z https://community.isc2.org/t5/Tech-Talk/SOC-Audit-Vulnerability-Management/m-p/19897#M943 <P>Does SOC or ISO audits require an organization to identify time to mitigate in their patching policies?<BR />For example, 30 day for critical vulnerabilities, 60 days for high....etc.<BR />If yes, is there a minimum acceptable time frame for a SOC auditor or for ISO27001 compliance?</P> Thu, 07 Mar 2019 22:21:52 GMT https://community.isc2.org/t5/Tech-Talk/SOC-Audit-Vulnerability-Management/m-p/19897#M943 SafiR 2019-03-07T22:21:52Z https://community.isc2.org/t5/Tech-Talk/SOC-Audit-Vulnerability-Management/m-p/19916#M945 <P>For SOC2 audits, the auditors usually measure if you're mitigating vulnerabilities in accordance with your policy. However, policy should be in alignment with industry best practice (NIST, CIS, etc.). If your policy states that you have two years to remediate a critical vulnerability, that would be an issue. The leading practice is typically 15-30 days for critical, 30-60 days for high, 60-90 days for medium, and aligned with org's configuration management policy for low/informational.</P> Fri, 08 Mar 2019 16:21:00 GMT https://community.isc2.org/t5/Tech-Talk/SOC-Audit-Vulnerability-Management/m-p/19916#M945 Rick_Roach 2019-03-08T16:21:00Z https://community.isc2.org/t5/Tech-Talk/SOC-Audit-Vulnerability-Management/m-p/19919#M947 <P>Thank you <a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/636057953">@Rick_Roach</a>&nbsp;</P> Fri, 08 Mar 2019 18:37:48 GMT https://community.isc2.org/t5/Tech-Talk/SOC-Audit-Vulnerability-Management/m-p/19919#M947 SafiR 2019-03-08T18:37:48Z