A.8.8 Management of Technical Vulnerabilities

What is this control?

ISO 27001 control A.8.8 Management of Technical Vulnerabilities implements continuous, real-time vulnerability management using Microsoft Defender Threat and Vulnerability Management, Microsoft Secure Score, and Microsoft Defender for Cloud. The control enables continuous discovery via MDE sensors on endpoints and Defender for Servers on cloud and hybrid infrastructure. Vulnerabilities are automatically prioritised by threat intelligence, asset context, and breach likelihood.

Remediation is automated via Intune Update Rings and Azure Update Management.

How to implement in Microsoft 365

Implement A.8.8 by enabling Threat and Vulnerability Management in Microsoft Defender for Endpoint. Ensure MDE sensor continuous asset discovery and vulnerability scanning is active on all endpoints. Enable Defender for Servers on all Azure VMs and Arc-enabled on-premises servers.

Monitor the TVM Exposure Score with target of 40% or less which prioritises vulnerabilities by threat, context, and breach likelihood. Configure Intune Update Rings for automatic OS patching on Windows devices with gradual rollout. Set up Azure Update Management for servers to automate security patch deployment.

Deploy CIS benchmark configuration policies via Intune and Azure Policy.

What an auditor looks for

Auditors will verify Microsoft Secure Score is 70% or higher with documented recommendations. They will check Exposure Score is 40% or less indicating controlled vulnerability risk. Auditors will verify patch compliance is 90% or higher of managed devices with current OS and app patches.

They will check Update Rings are deployed on endpoints for automatic patching. Auditors will verify Intune compliance policy requiring patch compliance is linked to Conditional Access. They will check vulnerability scanning is active evidenced by recent Secure Score updates and verify external penetration test report is dated within 12 months.