cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Viewer II

SOC Audit | Vulnerability Management

Does SOC or ISO audits require an organization to identify time to mitigate in their patching policies?
For example, 30 day for critical vulnerabilities, 60 days for high....etc.
If yes, is there a minimum acceptable time frame for a SOC auditor or for ISO27001 compliance?

1 Solution

Accepted Solutions
Viewer

Re: SOC Audit | Vulnerability Management

For SOC2 audits, the auditors usually measure if you're mitigating vulnerabilities in accordance with your policy. However, policy should be in alignment with industry best practice (NIST, CIS, etc.). If your policy states that you have two years to remediate a critical vulnerability, that would be an issue. The leading practice is typically 15-30 days for critical, 30-60 days for high, 60-90 days for medium, and aligned with org's configuration management policy for low/informational.

2 Replies
Viewer

Re: SOC Audit | Vulnerability Management

For SOC2 audits, the auditors usually measure if you're mitigating vulnerabilities in accordance with your policy. However, policy should be in alignment with industry best practice (NIST, CIS, etc.). If your policy states that you have two years to remediate a critical vulnerability, that would be an issue. The leading practice is typically 15-30 days for critical, 30-60 days for high, 60-90 days for medium, and aligned with org's configuration management policy for low/informational.

Viewer II

Re: SOC Audit | Vulnerability Management

Thank you @Rick_Roach