Backlog of older findings tracked
Demonstrate that all security findings exceeding their initial remediation target dates are documented in a maintained backlog with current ownership, risk acceptance or remediation status, and prioritization.
Description
What this control does
This control ensures that security findings and vulnerabilities that were not remediated within the initial target timeframe are actively tracked in a backlog system with documented justification, assigned ownership, and prioritized remediation plans. The backlog should include all aged findings from vulnerability scans, penetration tests, security assessments, and audit reports that have exceeded their initial due dates. This tracking mechanism prevents security debt from accumulating invisibly and ensures management maintains visibility into residual risk exposure over time.
Control objective
What auditing this proves
Demonstrate that all security findings exceeding their initial remediation target dates are documented in a maintained backlog with current ownership, risk acceptance or remediation status, and prioritization.
Associated risks
Risks this control addresses
- Unpatched vulnerabilities persist beyond acceptable risk tolerance periods, creating exploitable attack surface for adversaries
- Critical security findings are forgotten or deprioritized without formal risk acceptance, leaving known weaknesses unaddressed
- Security technical debt accumulates invisibly without management awareness, leading to compound risk exposure
- Audit or compliance findings remain unresolved, resulting in regulatory penalties or certification loss
- Resource allocation for remediation becomes ineffective due to lack of centralized tracking and prioritization
- Accountability gaps emerge when aged findings lack clear ownership or follow-up mechanisms
- Repeat exploitation of known vulnerabilities occurs because remediation work was not tracked to completion
Testing procedure
How an auditor verifies this control
- Obtain the current backlog inventory or tracking system containing security findings that have exceeded their initial remediation target dates
- Review the backlog structure to verify it includes finding identifier, initial detection date, original due date, current status, assigned owner, risk rating, and justification for delay or acceptance
- Select a sample of 15-20 older findings from various sources (vulnerability scans, penetration tests, audit reports, security assessments) spanning at least the past 12 months
- For each sampled finding, verify that it appears in the backlog with complete tracking information and current ownership assignment
- Interview backlog owners to confirm the frequency of backlog review meetings and prioritization processes for aged findings
- Cross-reference a sample of recently closed older findings against remediation evidence (patch records, configuration changes, validation scans) to confirm actual resolution
- Request evidence of management review and approval for any findings in the backlog exceeding 180 days with documented risk acceptance or extended timelines
- Verify that the backlog system integrates with or is reconciled against source systems (vulnerability management, ticketing, GRC platforms) to prevent findings from being lost between systems
Where this control is tested