How do you prioritise findings (CVSS alone, EPSS-augmented, asset criticality, exploitation observed)?
Demonstrate that the organization employs a documented, risk-based vulnerability prioritization methodology that incorporates multiple threat and asset context factors beyond CVSS base scores to guide remediation sequencing.
Description
What this control does
This control governs how an organization ranks and prioritizes vulnerability remediation efforts by combining multiple risk signals beyond base CVSS scores. Effective prioritization integrates exploit prediction scoring systems (EPSS), asset criticality classifications, threat intelligence on active exploitation, and environmental context to focus remediation resources on the vulnerabilities posing the greatest real-world risk. Without a multi-dimensional approach, organizations waste effort patching low-risk issues while critical exposures remain unaddressed.
Control objective
What auditing this proves
Demonstrate that the organization employs a documented, risk-based vulnerability prioritization methodology that incorporates multiple threat and asset context factors beyond CVSS base scores to guide remediation sequencing.
Associated risks
Risks this control addresses
- Critical vulnerabilities on high-value assets remain unpatched while resources are spent on low-risk findings with high CVSS scores but no active exploitation or business impact
- Attackers exploit vulnerabilities with known public exploits or active campaigns that were deprioritized due to moderate CVSS scores
- Security teams lack visibility into which assets are business-critical, leading to equal treatment of development sandbox and production payment processing systems
- Remediation SLAs based solely on CVSS result in missed windows to patch vulnerabilities before weaponization occurs in the wild
- Vulnerability fatigue sets in when teams are overwhelmed by undifferentiated lists of thousands of findings without actionable ranking
- Compliance-driven patching focuses on scanner output rather than actual threat landscape, leaving exploitable gaps in internet-facing attack surface
- Lack of integration between vulnerability management and threat intelligence prevents timely response to zero-day disclosures or ransomware campaigns targeting specific CVEs
Testing procedure
How an auditor verifies this control
- Request and review the organization's documented vulnerability prioritization policy or standard operating procedure, noting all risk factors considered beyond CVSS base scores.
- Obtain exports from the vulnerability management platform showing sample vulnerabilities with their assigned priority rankings and the specific scoring inputs used (CVSS, EPSS, asset tags, threat intelligence flags).
- Select a representative sample of 15-20 vulnerabilities across severity tiers and verify that each includes documented asset criticality classification (e.g., business tier, data classification, internet exposure).
- Verify integration with at least one external threat intelligence source (CISA KEV, vendor feeds, EPSS API) by examining configuration settings and sample enrichment data applied to recent vulnerabilities.
- Interview vulnerability management and security operations staff to confirm understanding of prioritization factors and decision-making process when CVSS and EPSS scores conflict.
- Review remediation metrics from the past quarter to confirm that high-priority vulnerabilities (based on the multi-factor methodology) receive faster remediation than lower-priority items, analyzing median time-to-remediate by priority tier.
- Trace three recent high-profile CVEs (e.g., from CISA KEV or widely reported exploits) through the workflow to confirm they were escalated appropriately based on exploitation evidence rather than CVSS alone.
- Examine asset inventory records to validate that criticality ratings are current, consistently applied, and aligned with business impact assessments or system categorization frameworks.