cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SafiR
Newcomer I

SOC Audit | Vulnerability Management

Does SOC or ISO audits require an organization to identify time to mitigate in their patching policies?
For example, 30 day for critical vulnerabilities, 60 days for high....etc.
If yes, is there a minimum acceptable time frame for a SOC auditor or for ISO27001 compliance?

2 Replies
Rick_Roach
Viewer

For SOC2 audits, the auditors usually measure if you're mitigating vulnerabilities in accordance with your policy. However, policy should be in alignment with industry best practice (NIST, CIS, etc.). If your policy states that you have two years to remediate a critical vulnerability, that would be an issue. The leading practice is typically 15-30 days for critical, 30-60 days for high, 60-90 days for medium, and aligned with org's configuration management policy for low/informational.

SafiR
Newcomer I

Thank you @Rick_Roach