CC7.1 SOC 2

SOC 2 CC7.1: System Operations - Detection of Security Events

What This Control Requires

To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.

In Plain Language

You can't fix what you don't know about. CC7.1 is about whether your organisation can actually detect new vulnerabilities and security-weakening configuration changes before attackers exploit them. This means running continuous vulnerability scanning to catch newly published CVEs in your environment, monitoring configurations so that unauthorised or insecure changes don't slip through, and correlating vulnerability data with your asset inventory so you know which systems are actually affected. Auditors look at how systematic your vulnerability detection is, how quickly you identify new vulnerabilities in your environment, whether configuration changes are monitored for security impact, and whether you have a real process for triaging and prioritising what to fix first.

How to Implement

Deploy automated vulnerability scanning across all in-scope systems - servers, workstations, network devices, and applications. Set up external scanning for internet-facing systems too. Run scans at least monthly, with weekly or continuous scanning for critical and internet-facing assets. Subscribe to vulnerability intelligence sources that matter for your stack. Monitor vendor security advisories (Microsoft, Linux distributions, your key application vendors), track vulnerability databases (NVD, CVE), and pull in threat intelligence feeds that flag actively exploited vulnerabilities. Assign someone to monitor these sources and triage new findings. Set up configuration monitoring to catch changes to security-relevant settings: firewall rules, access control lists, system hardening configs, application settings, cloud resource configurations. Use a CMDB or infrastructure-as-code tooling to maintain baselines and detect drift. Build a risk-based vulnerability prioritisation process. Not everything needs immediate attention. Factor in the CVSS score, whether the vulnerability is being actively exploited, how critical the affected asset is, its exposure level (internet-facing vs. internal), and whether compensating controls exist. Document your prioritisation criteria. Create dashboards showing your vulnerability posture in real time. Track total open vulnerabilities by severity, average time to remediation, scan coverage, and trends over time. Report to management regularly. Connect vulnerability detection to your incident response process. Critical vulnerabilities with active exploitation should be escalated as potential security events, not left sitting in a patching queue. Define clear criteria for when a vulnerability discovery triggers an investigation.

Evidence Your Auditor Will Request

Vulnerability scanning tool configurations showing scan schedules and coverage across all in-scope systems
Vulnerability scan results and remediation tracking records
Configuration monitoring tool deployment and baseline configuration documentation
Vulnerability intelligence sources and evidence of regular monitoring and triage
Vulnerability management dashboards and reports provided to management

Common Mistakes

Vulnerability scans are performed inconsistently or do not cover all systems in scope
New vulnerabilities are identified but not triaged or prioritized in a timely manner
Configuration changes are not monitored, allowing security-weakening modifications to go undetected
Vulnerability scanning focuses only on infrastructure and misses application-level vulnerabilities
No process for identifying and responding to zero-day vulnerabilities or actively exploited threats

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.8.8	Equivalent
ISO 27001	A.8.9	Related
nist-csf	DE.CM-01	Related
nist-csf	ID.RA-01	Partial overlap

Frequently Asked Questions

How often should vulnerability scans be run?

Monthly at minimum for both internal and external scans. Weekly is better for critical and internet-facing systems. Continuous scanning with agent-based tools gives the fastest detection. Also run ad-hoc scans after significant environment changes or when critical new vulnerabilities are announced.

Should we use authenticated or unauthenticated vulnerability scans?

Both. Unauthenticated scans show you what an external attacker sees - good for assessing exposure. Authenticated scans go much deeper because they can check installed software versions, configuration settings, and missing patches that aren't visible from outside. Make authenticated scans your primary method for internal scanning.

How do we manage vulnerability scanning in cloud environments?

Layer cloud-native tools (AWS Inspector, Azure Defender, GCP Security Health Analytics) on top of your traditional scanners. Integrate scanning into your CI/CD pipeline to catch vulnerabilities before deployment. Scan container images, infrastructure-as-code templates, and cloud configurations. The key is making sure cloud workloads are part of your overall vulnerability management programme, not treated separately.

Track SOC 2 compliance in one place

AuditFront helps you manage every SOC 2 control, collect evidence, and stay audit-ready.

Start Free Assessment