Risk acceptance for unpatchable assets
Demonstrate that all unpatchable assets are subject to formal risk acceptance with documented justification, compensating controls, management approval, and scheduled review cycles.
Description
What this control does
This control governs the formal acceptance of residual risk for assets that cannot be patched due to technical constraints, vendor end-of-life, operational dependencies, or compatibility limitations. It requires documented justification, compensating controls, and time-bound authorization by senior management or a risk committee. The control ensures that unpatchable vulnerabilities are not ignored but are instead actively managed through risk-informed decisions, with periodic re-evaluation as the threat landscape evolves.
Control objective
What auditing this proves
Demonstrate that all unpatchable assets are subject to formal risk acceptance with documented justification, compensating controls, management approval, and scheduled review cycles.
Associated risks
Risks this control addresses
- Exploitation of known vulnerabilities in systems that remain unpatched indefinitely without management awareness or approval
- Lateral movement by attackers pivoting from compromised unpatchable systems to patched infrastructure
- Regulatory non-compliance due to undocumented exceptions to vulnerability management policies
- Loss of accountability when technical teams independently decide not to patch without formal risk acceptance
- Accumulation of unmitigated vulnerabilities as unpatchable assets age beyond their original acceptance period
- Inadequate compensating controls that fail to reduce risk to an acceptable level for unpatchable systems
- Audit findings or legal liability stemming from breach of unpatchable systems lacking formal risk treatment
Testing procedure
How an auditor verifies this control
- Obtain the current inventory of all unpatchable assets including systems, firmware, operating systems, and applications identified as unable to receive security patches.
- Review the organization's risk acceptance policy and procedure to confirm it defines criteria, approval authority, documentation requirements, and review intervals for unpatchable assets.
- Select a representative sample of unpatchable assets across different business units and criticality levels from the inventory.
- For each sampled asset, obtain the formal risk acceptance documentation including vulnerability details, business justification for not patching or replacing, and compensating controls implemented.
- Verify that each risk acceptance record includes approval signatures from management at the appropriate level as defined in policy, typically senior management or risk committee members.
- Examine compensating controls for each sampled unpatchable asset and validate their implementation through configuration review, network segmentation verification, or access control testing.
- Confirm that each risk acceptance includes a defined expiration date or re-evaluation trigger and check that assets approaching or past their review date have been re-assessed.
- Cross-reference the risk acceptance register with recent vulnerability scan results to verify that newly discovered vulnerabilities on unpatchable assets trigger updated risk assessments.
Where this control is tested