When to use this
Use this procedure to define how the organization identifies, evaluates, treats, retests, and reports technical vulnerabilities.
Related controls
Procedure outline
| Step | Owner | Evidence |
|---|---|---|
| Maintain asset and scan scope | TBD | Asset/scanning scope |
| Monitor vulnerability sources | TBD | Source list / advisories |
| Run scans or tests | TBD | Scan/test reports |
| Risk-rate findings | TBD | Risk rating / tracker |
| Select treatment | TBD | Patch / mitigation / exception |
| Test and deploy patch | TBD | Change record |
| Retest | TBD | Retest report |
| Report metrics | TBD | Dashboard/report |
Minimum checks
- Vulnerability sources are defined.
- Scan scope covers relevant systems.
- Severity and exposure criteria are defined.
- Remediation timelines are defined.
- Patch testing and rollback are defined.
- Exceptions require risk acceptance.
- Retesting is required before closure.
- Template
- Iso27001
- Technological controls
- Vulnerability management
Note Metadata
Aliases: Technical Vulnerability Management Procedure
Source: 90 Templates/Vulnerability Management Procedure.md
Related Notes
- Risk Assessment
- Statement of Applicability
- A.8.8 Audit Evidence Pack
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- A.8 Technological Controls MOC
- A.8 Technological Controls Implementation Guide
- A.8 Technological Controls Audit Guide
- A.8 Technological Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- A.8.8 Audit Checklist
- Vulnerability Register and Remediation Tracker
- Templates MOC