Does SOC or ISO audits require an organization to identify time to mitigate in their patching policies? For example, 30 day for critical vulnerabilities, 60 days for high....etc. If yes, is there a minimum acceptable time frame for a SOC auditor or for ISO27001 compliance?
For SOC2 audits, the auditors usually measure if you're mitigating vulnerabilities in accordance with your policy. However, policy should be in alignment with industry best practice (NIST, CIS, etc.). If your policy states that you have two years to remediate a critical vulnerability, that would be an issue. The leading practice is typically 15-30 days for critical, 30-60 days for high, 60-90 days for medium, and aligned with org's configuration management policy for low/informational.