ISO27001A.8.8voice-validated
ISO27001 A.8.8: A.8.8
ISO/IEC 27001:2022 Information Security Management
AL
Founder at SQUR · last verified 2026-06-19
Regulation text
Information about technical vulnerabilities of information systems in use shall be obtained, the organisation's exposure to such vulnerabilities shall be evaluated and appropriate measures taken. Theme: Technological controls. (Full guidance: ISO/IEC 27002:2022 §8.8.)
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | ISO27001 A.8.8 mandates identifying and evaluating technical vulnerabilities, directly reducing the attack surface for public-facing application exploits. | 100% |
| T1068 | Effective vulnerability management, as per ISO27001 A.8.8, identifies and remediates flaws that attackers could exploit for privilege escalation. | 100% |
| T1203 | Identifying and addressing technical vulnerabilities in client software, as required by ISO27001 A.8.8, reduces the success rate of client-side exploitation. | 90% |
| T1059 | By reducing initial exploitation vectors through vulnerability management (ISO27001 A.8.8), the opportunities for attackers to execute arbitrary commands are diminished. | 90% |
| T1543.003 | Preventing privilege escalation via vulnerability remediation (ISO27001 A.8.8) directly hinders an adversary's ability to create or modify system services for persistence. | 90% |
| T1055 | ISO27001 A.8.8's focus on vulnerability evaluation and mitigation reduces the underlying flaws that enable process injection techniques. | 90% |
| T1027 | While not directly preventing obfuscation, ISO27001 A.8.8's vulnerability management reduces the effectiveness of obfuscated exploits by removing their targets. | 80% |
| T1003 | Remediating vulnerabilities as per ISO27001 A.8.8 limits privilege escalation, thereby making it harder for attackers to dump OS credentials. | 90% |
| T1046 | While this control does not prevent scanning, ISO27001 A.8.8 ensures that identified vulnerabilities from such scans are addressed, reducing their utility to attackers. | 80% |
| T1021 | ISO27001 A.8.8 requires evaluation and mitigation of vulnerabilities in information systems, including those exposed via remote services, reducing attack surface. | 90% |
| T1005 | By reducing successful exploitation through vulnerability management (ISO27001 A.8.8), the ability of attackers to collect data from local systems is curtailed. | 90% |
| T1071 | ISO27001 A.8.8's focus on vulnerability remediation reduces the initial access vectors that adversaries use to establish C2 channels over application layer protocols. | 90% |
| T1041 | Effective vulnerability management under ISO27001 A.8.8 reduces the likelihood of initial exploitation, thereby limiting the establishment of C2 channels for exfiltration. | 90% |
| T1490 | By mitigating vulnerabilities as per ISO27001 A.8.8, the pathways for attackers to gain the necessary privileges to inhibit system recovery are significantly reduced. | 90% |
| T1078 | ISO27001 A.8.8's vulnerability management reduces the likelihood of account compromise through exploitation, thus protecting valid accounts from misuse. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1016 | ISO27001 A.8.8 explicitly requires obtaining information about technical vulnerabilities, which is directly achieved through systematic vulnerability scanning. | 100% |
| M1051 | Updating software is a primary measure for addressing identified technical vulnerabilities, as mandated by ISO27001 A.8.8. | 100% |
| M1048 | Effective patch management is a critical component of taking appropriate measures to address technical vulnerabilities, as specified in ISO27001 A.8.8. | 100% |
| M1035 | Secure operating system configurations, including disabling unnecessary services and hardening settings, reduce the exposure to technical vulnerabilities as required by ISO27001 A.8.8. | 90% |
| M1030 | Network intrusion prevention systems can detect and block attempts to exploit technical vulnerabilities, serving as an appropriate measure under ISO27001 A.8.8. | 90% |
| M1040 | Network segmentation limits the lateral movement and impact of an attacker who successfully exploits a vulnerability, complementing the measures required by ISO27001 A.8.8. | 90% |
| M1038 | Robust user account management, including least privilege and strong authentication, reduces the impact of an attacker gaining access via a vulnerability, aligning with ISO27001 A.8.8. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-119 | ISO27001 A.8.8 addresses the evaluation and mitigation of technical vulnerabilities, including memory safety issues like buffer overflows (CWE-119). | 100% |
| CWE-20 | Many technical vulnerabilities stem from improper input validation (CWE-20), which ISO27001 A.8.8 requires organisations to identify and mitigate. | 100% |
| CWE-78 | ISO27001 A.8.8 mandates addressing technical vulnerabilities, including command injection flaws (CWE-78) that allow arbitrary command execution. | 100% |
| CWE-79 | Web application vulnerabilities like XSS (CWE-79) are technical vulnerabilities that ISO27001 A.8.8 requires organisations to evaluate and mitigate. | 100% |
| CWE-89 | SQL injection (CWE-89) represents a critical technical vulnerability that ISO27001 A.8.8 requires organisations to identify and take appropriate measures against. | 100% |
| CWE-502 | Technical vulnerabilities arising from deserialization of untrusted data (CWE-502) fall under the scope of ISO27001 A.8.8 for evaluation and mitigation. | 100% |
| CWE-732 | Incorrect permission assignments (CWE-732) are technical vulnerabilities that ISO27001 A.8.8 requires organisations to identify, evaluate, and correct. | 100% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0189 compute · voice-rubric self-validated