Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SafiR
Newcomer I
‎03-07-2019 04:42 PM
‎03-07-2019 04:42 PM

SOC Audit | Vulnerability Management

Does SOC or ISO audits require an organization to identify time to mitigate in their patching policies?
For example, 30 day for critical vulnerabilities, 60 days for high....etc.
If yes, is there a minimum acceptable time frame for a SOC auditor or for ISO27001 compliance?

Reply
0 Kudos
2 Replies
Rick_Roach
Viewer
‎03-08-2019 11:21 AM
‎03-08-2019 11:21 AM

For SOC2 audits, the auditors usually measure if you're mitigating vulnerabilities in accordance with your policy. However, policy should be in alignment with industry best practice (NIST, CIS, etc.). If your policy states that you have two years to remediate a critical vulnerability, that would be an issue. The leading practice is typically 15-30 days for critical, 30-60 days for high, 60-90 days for medium, and aligned with org's configuration management policy for low/informational.

Reply
SafiR
Newcomer I
‎03-08-2019 01:37 PM
‎03-08-2019 01:37 PM

Thank you @Rick_Roach 

Reply
0 Kudos