Skip to main content
← All controls
ID.RA-1 / DE.CM-8 / RS.MI-3 NIST CSF v1.1 NIST CSF

How mature is your vulnerability management programme?

Demonstrate that the organization operates a defined, repeatable, and measurable vulnerability management programme that systematically discovers, assesses, remediates, and verifies security vulnerabilities within risk-based timeframes.

Description

What this control does

A vulnerability management programme encompasses the systematic identification, classification, remediation, and mitigation of security vulnerabilities across all organizational assets. Maturity is measured by the programme's ability to discover vulnerabilities across the full attack surface, prioritize remediation based on risk, enforce remediation SLAs, track remediation effectiveness, and integrate vulnerability intelligence into change management and incident response. Mature programmes leverage automated scanning, threat intelligence feeds, centralized tracking, and executive-level metrics to reduce the window of exposure and prevent exploitation of known weaknesses.

Control objective

What auditing this proves

Demonstrate that the organization operates a defined, repeatable, and measurable vulnerability management programme that systematically discovers, assesses, remediates, and verifies security vulnerabilities within risk-based timeframes.

Associated risks

Risks this control addresses

  • Attackers exploit publicly disclosed vulnerabilities (CVEs) on unpatched systems to gain initial access or escalate privileges
  • Critical vulnerabilities remain undetected due to incomplete asset inventory or inadequate scanning coverage across cloud, on-premises, and hybrid environments
  • High-risk vulnerabilities persist beyond acceptable remediation SLAs due to unclear ownership, undefined prioritization criteria, or lack of enforcement
  • Remediation efforts focus on CVSS scores alone without considering actual exploitability, threat actor activity, or business impact, resulting in inefficient resource allocation
  • Vulnerability management operates as a siloed function disconnected from patch management, configuration management, and incident response, leading to duplicative efforts and missed threats
  • Absence of metrics and executive reporting prevents leadership from understanding exposure trends, resource needs, or programme effectiveness
  • Zero-day or newly disclosed vulnerabilities lack defined emergency response procedures, delaying critical mitigations during active exploitation campaigns

Testing procedure

How an auditor verifies this control

  1. Obtain and review the vulnerability management policy, procedures, and programme charter including defined roles, responsibilities, scanning frequencies, and remediation SLAs by severity level.
  2. Request the current asset inventory and cross-reference against vulnerability scanning scope to identify coverage gaps for endpoints, servers, network devices, cloud workloads, containers, and web applications.
  3. Review vulnerability scanning tool configurations including scan schedules, credential usage, scan profiles, and integration with asset management and ticketing systems.
  4. Select a sample of 10-15 critical and high-severity vulnerabilities discovered in the past 90 days and trace each through detection, assignment, remediation, and verification stages using ticketing system records.
  5. Calculate actual remediation times for the sample against documented SLAs and identify any SLA breaches along with documented justifications or risk acceptance decisions.
  6. Interview vulnerability management and IT operations staff to assess how risk prioritization is performed, including use of exploit availability, threat intelligence, asset criticality, and compensating controls.
  7. Review executive or governance-level reporting from the past six months to evaluate whether vulnerability metrics (mean time to remediate, aging trends, scan coverage, recurring issues) are communicated to leadership.
  8. Examine evidence of vulnerability management integration with change management, incident response, and patch management processes including documented handoffs, escalation paths, and emergency response procedures for zero-day threats.
Evidence required Collect the vulnerability management policy and procedure documents, asset inventory exports, vulnerability scanner configuration screenshots and scope definitions, ticketing system exports showing vulnerability workflow from detection to closure for the selected sample, SLA tracking reports or dashboards, documented risk prioritization criteria and threat intelligence integration evidence, executive vulnerability reports or dashboards from the past six months, and integration documentation or workflow diagrams showing handoffs between vulnerability management and related security and IT processes.
Pass criteria The programme demonstrates documented processes with defined roles and SLAs, achieves scanning coverage across all in-scope asset categories, remediates sampled vulnerabilities within established SLAs or has documented risk acceptance for exceptions, uses risk-based prioritization beyond CVSS scoring alone, provides regular metrics to executive leadership, and shows functional integration with patch management and incident response processes.