Vulnerability scanning
Demonstrate that the organization maintains a regular, comprehensive vulnerability scanning program that identifies security weaknesses across all in-scope systems and that findings are tracked, prioritized, and remediated according to defined timelines.
Description
What this control does
Vulnerability scanning is an automated security practice that systematically probes network-connected systems, applications, and infrastructure components to identify known security weaknesses, misconfigurations, missing patches, and exploitable vulnerabilities. Organizations deploy authenticated and unauthenticated scanners on scheduled intervals (typically weekly or monthly for production systems, more frequently for critical assets) to discover exposures before attackers can exploit them. Effective programs integrate scanning results with patch management workflows, risk registers, and security remediation tracking systems to ensure timely response to identified threats.
Control objective
What auditing this proves
Demonstrate that the organization maintains a regular, comprehensive vulnerability scanning program that identifies security weaknesses across all in-scope systems and that findings are tracked, prioritized, and remediated according to defined timelines.
Associated risks
Risks this control addresses
- Unpatched systems remain exploitable through publicly disclosed vulnerabilities with available exploit code
- Misconfigurations in web applications, databases, or network devices create unauthorized access pathways
- Shadow IT assets operate outside vulnerability management processes and accumulate undetected exposures
- Critical vulnerabilities remain undetected between scan intervals, allowing attackers to establish persistence
- Scanning coverage gaps exclude servers, containers, or cloud workloads from vulnerability detection
- False negative rates in unauthenticated scans fail to identify vulnerabilities requiring privileged access to detect
- Remediation efforts focus on low-severity issues while critical exposures persist due to inadequate prioritization
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Obtain and review the vulnerability management policy documenting scan frequency, scope definition, tool configurations, and remediation SLAs by severity level
- Request a complete asset inventory and compare it against the scanning tool's configured target lists to identify coverage gaps or excluded systems
- Export vulnerability scan configurations from the scanning platform to verify authentication methods (credentialed vs. non-credentialed), scan templates, and plugin/signature update schedules
- Pull scan execution logs covering the most recent 90-day period and verify that scheduled scans completed successfully across all defined asset groups within their assigned windows
- Select a representative sample of 10-15 assets spanning different environments (production, development, cloud, on-premises) and review their most recent scan reports for completeness and recency
- Extract a list of open high and critical severity vulnerabilities older than the defined remediation SLA and review associated tickets to assess remediation tracking and exception handling
- Interview vulnerability management personnel to understand processes for triaging false positives, escalating critical findings, and coordinating remediation with system owners
- Test one authenticated scan against a sample system and verify that credentials provide sufficient access to detect operating system, installed software, and configuration-level vulnerabilities
Where this control is tested