Audit Agent Compliance evidence & audit prep Operations Agent M365 operations & CIS benchmarks CyberAware Training Security awareness & phishing sims Remote Support Start a secure support session All Customer Tools Portals, admin consoles & more
Preview Your Audit
Preview Your Audit
technological Preventive IdentifyProtect High Priority

A.8.8 Management of Technical Vulnerabilities

M365 Admin Path: Microsoft 365 Defender (security.microsoft.com) > Vulnerability management > Dashboard; Microsoft Intune admin center > Devices > Monitor > Windows updates

Evidence Source: Microsoft Graph - Defender Vulnerability Management

What is A.8.8 Management of Technical Vulnerabilities?

ISO 27001 control A.8.8 Management of Technical Vulnerabilities implements continuous, real-time vulnerability management using Microsoft Defender Threat and Vulnerability Management, Microsoft Secure Score, and Microsoft Defender for Cloud. The control enables continuous discovery via MDE sensors on endpoints and Defender for Servers on cloud and hybrid infrastructure. Vulnerabilities are automatically prioritised by threat intelligence, asset context, and breach likelihood.

Remediation is automated via Intune Update Rings and Azure Update Management.

How to implement A.8.8 in Microsoft 365

Implement A.8.8 by enabling Threat and Vulnerability Management

Implement A.8.8 by enabling Threat and Vulnerability Management in Microsoft Defender for Endpoint. Ensure MDE sensor continuous asset discovery and vulnerability scanning is active on all endpoints.

Enable Defender for Servers on all Azure VMs

Enable Defender for Servers on all Azure VMs and Arc-enabled on-premises servers. Monitor the TVM Exposure Score with target of 40% or less which prioritises vulnerabilities by threat, context, and breach likelihood.

Configure Intune Update Rings for automatic OS patching

Configure Intune Update Rings for automatic OS patching on Windows devices with gradual rollout. Set up Azure Update Management for servers to automate security patch deployment.

Deploy CIS benchmark configuration policies via Intune and

Deploy CIS benchmark configuration policies via Intune and Azure Policy.

What an auditor checks for A.8.8

  • Auditors will verify Microsoft Secure Score is 70% or higher with documented recommendations.
  • They will check Exposure Score is 40% or less indicating controlled vulnerability risk.
  • Auditors will verify patch compliance is 90% or higher of managed devices with current OS and app patches.
  • They will check Update Rings are deployed on endpoints for automatic patching.
  • Auditors will verify Intune compliance policy requiring patch compliance is linked to Conditional Access.
  • They will check vulnerability scanning is active evidenced by recent Secure Score updates and verify external penetration test report is dated within 12 months.

What your auditor expects for A.8.8

  • technical vulnerability management including Microsoft Defender Vulnerability Management findings
  • patch compliance status
  • vulnerability severity distribution
  • remediation tracking for managed devices and applications

See how your organisation scores against A.8.8 and all 93 ISO 27001 controls.

Get Your Free Assessment

M365 capabilities that implement this control

Patch Management Endpoint

Windows Update for Business and application patching via Intune