ISO/IEC 27001:2022 · Annex A 8.8 · ISMS

Technical vulnerability management for ISO 27001

Annex A 8.8 requires you to obtain information about technical vulnerabilities, evaluate exposure and take action; A.5.21 extends that to your ICT supply chain. IsItPatched delivers both from an SBOM — a component inventory, known and actively-exploited CVEs, prioritisation, the minimum safe version, end-of-life tracking and exportable ISMS evidence.

Scan your SBOM → Monitor your components Export ISO 27001 pack →

1046 actively-exploited CVEs across 613 tracked products right now

Built for the ISMS you're running

Organisations certifying

Stand up the A.8.8 technical-vulnerability evidence and the A.5.21 supply-chain view without a heavyweight platform.

ISMS & security managers

A repeatable, documented process: inventory components, evaluate vulnerabilities, prioritise by exploitation, record remediation.

Auditors & consultants

Hand a clean component inventory, risk-ranked vulnerabilities and a remediation record as Annex A evidence.

ISO 27001 Annex A → what IsItPatched gives you

Technical vulnerabilities (A.8.8)

Scan a CycloneDX/SPDX SBOM to obtain, evaluate and act on technical vulnerabilities across your components — the core of A.8.8.

Scan an SBOM →

Prioritise by real risk

CVEs ranked by actively-exploited (CISA KEV) and high-EPSS status, so your treatment decisions are defensible.

See actively-exploited CVEs →

ICT supply chain (A.5.21)

The SBOM inventory of third-party & open-source components is the supply-chain transparency A.5.21 expects.

Open your dashboard →

End-of-life & ISMS evidence

End-of-life tracking flags unsupported components; export a risk register and VEX as ISMS evidence.

End-of-life calendar →

Export your evidence — today, free

Per-component vulnerability scan of your CycloneDX / SPDX SBOM (matched against OSV)
CycloneDX VEX document (exploitability + remediation per component)
Software risk register (CSV / print-to-PDF) citing the exact versions you run
A prioritised, known-exploited-first patch queue — your A.8.8 treatment record

Build your evidence →

Straight with you: ISO/IEC 27001 certification covers the whole management system — risk assessment, policies, access control, physical security, incident management and all of Annex A — and is granted by an accredited certification body. IsItPatched is an informational tool (NVD · CISA KEV · OSV · endoflife.date) that helps with A.8.8 technical vulnerability management and the A.5.21 ICT-supply-chain evidence specifically. It is not a certification body, not a certification, and not legal advice. Disclaimer.

ISO/IEC 27001 — frequently asked

What is ISO/IEC 27001?

ISO/IEC 27001 is the international standard for an Information Security Management System (ISMS). The 2022 revision lists 93 Annex A controls. The ones a software-vulnerability tool maps onto are A.8.8 (management of technical vulnerabilities), A.5.21 (managing information security in the ICT supply chain), A.8.25 (secure development lifecycle) and A.8.9 (configuration management). Certification is granted by an accredited body after auditing the whole ISMS.

How does IsItPatched help with ISO 27001?

It operationalises A.8.8 and the supply-chain parts of A.5.21: scan a CycloneDX/SPDX SBOM for an inventory of third-party components, identify and evaluate their technical vulnerabilities (with CISA KEV + EPSS to prioritise), see the minimum safe version, track end-of-life components, and export a risk register / VEX as evidence for your ISMS and your auditor.

Does IsItPatched make us ISO 27001 certified?

No. Certification covers the full management system — risk assessment, policies, access control, physical security, incident management and the rest of Annex A — and is granted by an accredited certification body. IsItPatched helps with A.8.8 technical vulnerability management and the ICT-supply-chain evidence specifically. It is informational, built on public data — not a certification body and not legal advice.

Subject to more than one regime? See all our compliance editions →