Do you track and report VM KPIs (open findings by severity, MTTR, scan coverage, exception count)?
Demonstrate that the organization maintains documented vulnerability management KPIs, tracks these metrics systematically, and reports them to stakeholders at defined intervals to enable risk-based decision-making.
Description
What this control does
This control requires organizations to define, collect, and regularly report key performance indicators (KPIs) for their vulnerability management (VM) program. Core metrics include the count of open findings segmented by severity level (Critical, High, Medium, Low), mean time to remediate (MTTR) vulnerabilities, percentage of assets covered by vulnerability scans, and number of active exceptions or accepted risks. These KPIs enable leadership to assess program maturity, resource allocation effectiveness, and risk posture trends over time. Regular reporting ensures accountability and data-driven prioritization of remediation efforts.
Control objective
What auditing this proves
Demonstrate that the organization maintains documented vulnerability management KPIs, tracks these metrics systematically, and reports them to stakeholders at defined intervals to enable risk-based decision-making.
Associated risks
Risks this control addresses
- Critical vulnerabilities remain undetected or unaddressed due to lack of visibility into scan coverage gaps across the asset inventory
- Remediation efforts are misdirected toward low-severity issues while critical and high-severity vulnerabilities accumulate unmitigated
- Prolonged MTTR enables attackers to exploit known vulnerabilities during extended exposure windows before patches are applied
- Untracked exception approvals allow temporary risk acceptances to become permanent, creating undocumented attack surface
- Leadership lacks quantitative data to justify security staffing, tooling investments, or escalate systemic remediation delays to business owners
- Compliance violations occur when organizations cannot produce evidence of vulnerability tracking required by regulatory frameworks or contractual obligations
- Regression occurs when previously remediated vulnerabilities reappear without detection due to inadequate trending and historical comparison
Testing procedure
How an auditor verifies this control
- Request and review the organization's documented vulnerability management KPI definitions, including calculation methodology for MTTR, severity classification scheme, scan coverage formula, and exception criteria.
- Obtain vulnerability management reports from the most recent three reporting periods (e.g., monthly, quarterly) showing open findings by severity, MTTR statistics, scan coverage percentages, and exception counts.
- Verify that the reported KPI data aligns with the documented definitions by tracing at least two metrics back to their source data in the vulnerability scanning platform or ticketing system.
- Select a sample of 10-15 open findings across severity levels from the current report and validate their accurate classification, assignment, and aging calculations in the vulnerability management system.
- Review evidence that scan coverage metrics accurately reflect the complete asset inventory by comparing scanned asset counts against the authoritative configuration management database (CMDB) or asset register.
- Examine the exception management process by selecting 5-7 approved exceptions and confirming they are reflected in the exception count KPI, include documented business justification, have defined expiration dates, and compensating controls where applicable.
- Interview vulnerability management personnel to confirm the reporting cadence, distribution list for KPI reports, and any thresholds or service level agreements (SLAs) defined for each metric.
- Assess whether reported KPIs have been used to drive action by reviewing meeting minutes, remediation plans, or resource allocation decisions that reference the vulnerability metrics.