INF-007 Vulnerability Management
Description
A vulnerability management programme is in place that covers authenticated vulnerability scanning of production systems and applications at a defined frequency (at least monthly), risk-based prioritisation of findings using an industry-standard scoring method (e.g., CVSS), and tracked remediation within defined SLAs by severity. Critical and high vulnerabilities have documented remediation deadlines.
Rationale
Unpatched vulnerabilities are the most commonly exploited attack vector. A formalised programme with SLA-bound remediation ensures the organisation's exposure is actively managed, not just measured.
Framework Mappings (6)
| TVM-03 | Vulnerability Identification | full |
| TVM-08 | Vulnerability Remediation Schedule | full |
| TVM-09 | Vulnerability Prioritization | full |
| 8.8 | Management of technical vulnerabilities | full |
| RA-5 | Vulnerability Monitoring and Scanning | full |
| SI-2 | Flaw Remediation | full |
Evidence (2)
Authenticated vulnerability scan results for production systems and applications covering the most recent scan cycle, with findings risk-rated by CVSS score.
Example: Qualys, Tenable Nessus, or Rapid7 InsightVM scan report for production environment, exported within the last 30 days, showing CVSS scores and open/closed status per finding
Test: Request the most recent vulnerability scan report and the remediation tracking register. Verify: (1) scans are authenticated and cover all in-scope production systems; (2) findings are rated using CVSS or an equivalent severity framework; (3) critical findings (CVSS 9.0+) show a remediation due date within the documented SLA; (4) overdue findings have a documented exception or compensating control.
Vulnerability remediation tracking register showing open findings, assigned owners, due dates, and completion records for the last full scan cycle.
Example: Jira vulnerability backlog, Qualys remediation dashboard export, or equivalent tracking record showing finding age, assignee, severity, and status for the last 90-day window
Test: Request the remediation tracking register. Verify: (1) all open critical and high findings have an assigned owner and SLA-compliant due date; (2) closed findings include a completion date and evidence of fix (patch applied, config changed, or compensating control documented); (3) the percentage of overdue critical/high findings is within the defined acceptable threshold.
Questions (3)
Is a vulnerability management programme in place covering authenticated scanning of production systems at least monthly, risk-based prioritisation using CVSS or equivalent, and SLA-bound remediation by severity?
The programme should cover both infrastructure and application layers. Scan credentials should be verified — unauthenticated scans miss a significant portion of findings.
What is the defined SLA for remediating critical severity vulnerabilities (CVSS 9.0 and above) in production systems?
Industry expectation for critical vulnerabilities is 7–14 days. 30 days is the acceptable outer limit only when compensating controls are documented for the gap period.
Which tooling is used for authenticated vulnerability scanning of production systems?
Any reputable authenticated scanner is acceptable. The key requirement is that scans are authenticated and cover all in-scope production systems, not just public-facing endpoints.