ISO 27001 audit prep, not just scan output.
An auditor needs a documented scan and remediation cycle operating over time, not a point-in-time report. Vornin maps every finding to the Annex A control it touches, keeps a tamper-evident lifecycle, and produces per-finding evidence packs your auditor can validate.
Read-only access · Working scan data deleted after each scan · EU-hosted
Certification is a cycle, not a snapshot.
Stage 2 wants evidence the A.8.8 control is running; every surveillance audit wants evidence it kept running. A folder of exports cannot answer the auditor's sharpest question: were these edited?
Annex A controls, cross-walked to scanner evidence.
Every finding auto-links to the Annex A control it touches the moment it is ingested. This is the cross-walk from the 2022 control set to the evidence Vornin produces for your auditor.
| ISO 27001:2022 Annex A control | What Vornin runs | Evidence it produces |
|---|---|---|
| A.8.8Management of technical vulnerabilities | Scanner coverage across web, infrastructure, code, and cloud on a schedule, with deduplication and SLA-tracked remediation. | Per-finding auditor pack ZIP carrying the full detect-to-resolved lifecycle. |
| A.5.9Inventory of associated assets | Continuous attack surface discovery: subdomains, exposed services, certificates, and detected technologies. | Asset inventory with status history that never silently drops a tracked host. |
| A.5.7Threat intelligence | NVD enrichment on every finding: CVE, CVSS, EPSS exploit likelihood, CWE, and known-exploited status. | Enriched findings prioritised by real-world exploit signal, not raw severity. |
| A.8.24Use of cryptography | SSL/TLS scanning for weak ciphers, deprecated protocols, expiring certificates, and missing HSTS. | Encryption findings with severity and remediation deadlines. |
| A.8.25 · A.8.28Secure development and coding | Dual-engine static analysis and secret scanning on connected repositories. | Code findings mapped to the control, with the lifecycle recorded. |
| A.5.21Managing ICT supply-chain security | Dependency scanning with reachability filtering, plus a CycloneDX software bill of materials. | SBOM.cdx.json export and SCA findings mapped to the control. |
Organisational Annex A controls, policy, training, supplier agreements, continuity, are not scanner-testable. Vornin tracks them through the manual attestation workflow with sign-off history and keeps them out of the auto-tested score, so the coverage number reflects what was verified. What a vulnerability scan actually checks →
One evidence layer for every audit in the cycle.
The chain records every status change as it happens, so the evidence for stage 2, surveillance, and recertification already exists when each audit lands.
Per-tenant SHA-256 chain.
Every status change, from the UI, the API, or a background job, is hashed into a per-tenant chain. Each entry links to the one before it, so altering any event invalidates every event after it.
Serialized, linear writes.
Concurrent writers serialize per tenant, so the chain stays linear even under simultaneous updates. No fork, no race.
Walk and verify on demand.
The chain can be re-hashed on demand, returning the first break if one exists. That result ships inside every auditor-pack manifest so your auditor can re-run it.
Per-finding ZIP, tenant-wide PDF.
Download a ZIP per finding with manifest, state, events, comments, compliance mappings, and evidence. Business also renders a tenant-wide auditor PDF across every chain.
External anchor.
Today the chain is self-anchored to Vornin and tamper-evident inside your tenant. On the roadmap: stamping tip-hashes into RFC 3161 timestamp authorities and a public transparency log.
ISO 27001, answered.
The questions that come up most when a team scopes the technical-vulnerability control.
Does ISO 27001 require vulnerability scanning?
Yes, in practice. Annex A control A.8.8, management of technical vulnerabilities, requires that information about technical vulnerabilities is obtained, exposure evaluated, and appropriate measures taken. An auditor expects evidence of regular scanning, evaluation, and remediation, not a single point-in-time report. Vornin runs the scanning and records the full lifecycle as that evidence.
Which Annex A controls cover vulnerability scanning?
The primary control is A.8.8 (management of technical vulnerabilities). Related controls a scanner supports include A.5.9 (inventory of assets), A.5.7 (threat intelligence), A.8.24 (use of cryptography), A.8.25 and A.8.28 (secure development and coding), and A.5.21 (managing ICT supply-chain security). Vornin maps each finding to the Annex A control it touches at scan time.
What evidence does an ISO 27001 auditor want?
An auditor wants to see the control operating over time: a documented scan cadence, evaluated findings, assigned remediation with deadlines, and confirmed closure. They want a lifecycle trail, not just a scan result. Vornin produces a per-finding auditor pack covering detection through resolution, with a tamper-evident chain so the records cannot be quietly edited before the audit.
Does Vornin help with annual surveillance audits?
Yes. After stage 2 certification, ISO 27001 requires annual surveillance audits and full recertification every three years. Because Vornin keeps scanning continuously and records every status change, the evidence for each surveillance audit already exists. You export the auditor pack or per-framework mapping table instead of reconstructing a year of activity.
Is ISO 27001 the same as NIS2?
No. ISO 27001 is a voluntary certification standard; NIS2 is binding EU law. The control sets overlap heavily, so an ISO 27001 vulnerability management programme covers most of what NIS2 Article 21 expects of the same controls. Vornin maps findings to both from one source of truth, so one programme serves both.
Tier note: the attestation workflow and evidence vault unlock on Team. The tamper-evidence chain, per-finding auditor ZIP, and tenant-wide auditor PDF are Business and above. Compare tiers →
Build your ISO 27001 evidence file continuously.
Start now and the evidence file is already there when the next audit lands.
Read-only access · Working scan data deleted after each scan · EU-hosted