2026-03-08
By Emre SalmanogluVulnerability Management: The Complete Guide for Security and Compliance Teams
Learn how to build a vulnerability management programme that satisfies ISO 27001, SOC 2, NIS2, and DORA. Covers scanning, prioritisation, remediation SLAs, and audit evidence.
vulnerability management
vulnerability scanning
patch management
CVE
compliance
What Is Vulnerability Management?
Vulnerability management is the continuous, systematic process of identifying, evaluating, treating, and reporting security vulnerabilities across an organisation's technology estate. It transforms raw vulnerability data into actionable risk reduction.
A mature programme goes far beyond running a scanner — it encompasses asset discovery, risk-based prioritisation, remediation workflows, exception handling, metrics tracking, and compliance reporting.
The Vulnerability Management Lifecycle
| Phase | Activities | Key Outputs |
|---|---|---|
| 1. Asset Discovery | Maintain a complete, up-to-date inventory of all hardware, software, and cloud assets | Asset register with criticality ratings |
| 2. Vulnerability Identification | Run authenticated scans, review advisories, monitor threat feeds | Raw vulnerability findings |
| 3. Prioritisation | Score by CVSS + asset criticality + exploitability + business context | Prioritised remediation queue |
| 4. Remediation | Patch, configure, upgrade, or apply compensating controls | Closed vulnerabilities, change records |
| 5. Verification | Re-scan to confirm fixes, validate compensating controls | Verification evidence |
| 6. Reporting | Dashboard metrics, trend analysis, compliance reports | Management and audit reports |
| 7. Governance | Policy review, SLA adjustments, programme maturity assessment | Updated policies, process improvements |
Vulnerability Scoring and Prioritisation
CVSS Severity Levels
| Severity | CVSS Score | Typical Remediation SLA | Examples |
|---|---|---|---|
| Critical | 9.0 – 10.0 | 24-72 hours | Remote code execution, authentication bypass |
| High | 7.0 – 8.9 | 7-14 days | Privilege escalation, SQL injection |
| Medium | 4.0 – 6.9 | 30-60 days | Cross-site scripting, information disclosure |
| Low | 0.1 – 3.9 | 90 days | Minor configuration issues, low-impact bugs |
| Informational | 0.0 | Best effort | Best practice recommendations |
Risk-Based Prioritisation
CVSS alone is insufficient. Combine these factors for effective prioritisation:
| Factor | Description | Weight |
|---|---|---|
| CVSS base score | Intrinsic severity of the vulnerability | Baseline |
| Exploitability | Does a known exploit exist? Is it actively exploited? (CISA KEV catalogue) | High |
| Asset criticality | How important is the affected system to the business? | High |
| Exposure | Is the asset internet-facing or internal-only? | Medium |
| Data sensitivity | What classification level of data does it handle? | Medium |
| Compensating controls | Are there mitigating controls already in place? | Adjusting |
Scanning Types
| Scan Type | Purpose | Frequency | Tools |
|---|---|---|---|
| Network vulnerability scan | Discover known CVEs in OS and services | Weekly minimum | Nessus, Qualys, Rapid7 InsightVM |
| Authenticated scan | Deep scan with system credentials for accurate results | Weekly | Same as above, with credentials |
| Web application scan (DAST) | Test running web apps for OWASP Top 10 | Per release + monthly | OWASP ZAP, Burp Suite, Acunetix |
| Static analysis (SAST) | Analyse source code for vulnerabilities | Every commit (CI/CD) | SonarQube, Checkmarx, Semgrep |
| Software composition analysis (SCA) | Identify vulnerable open-source dependencies | Every build | Snyk, Dependabot, Grype |
| Container image scan | Scan container images for known CVEs | Every build + registry scan | Trivy, Grype, Prisma Cloud |
| Cloud configuration scan | Check cloud infrastructure for misconfigurations | Continuous | CSPM tools, Prowler |
| Infrastructure as Code scan | Scan IaC templates before deployment | Every commit | Checkov, tfsec, KICS |
Building a Vulnerability Management Programme
Essential Components
| Component | Description | Maturity Indicator |
|---|---|---|
| Policy | Documented vulnerability management policy with scope, roles, SLAs | Approved by management, reviewed annually |
| Asset inventory | Complete, classified inventory of all assets | Automated discovery, updated continuously |
| Scanning coverage | All assets scanned on schedule | >95% coverage, authenticated scans |
| Prioritisation framework | Risk-based approach beyond raw CVSS | Context-aware scoring with business input |
| Remediation workflows | Ticketing integration, assignment, tracking | Automated ticket creation, SLA tracking |
| Exception management | Formal process for risk acceptance | Documented, time-bounded, approved |
| Metrics and reporting | KPIs tracked and reported to management | Dashboard with trend analysis |
| Continuous improvement | Regular programme reviews and maturity assessments | Annual maturity scoring |
Key Metrics
| Metric | What It Measures | Target |
|---|---|---|
| Mean time to remediate (MTTR) | Average days from discovery to fix | Critical <3 days, High <14 days |
| Scan coverage | % of assets scanned on schedule | >95% |
| Vulnerability density | Vulnerabilities per asset or per 1,000 lines of code | Decreasing trend |
| SLA compliance rate | % of vulnerabilities fixed within SLA | >90% |
| Overdue vulnerabilities | Count of vulnerabilities past SLA | Decreasing trend |
| Risk exception count | Number of open risk exceptions | Stable or decreasing |
| Recurrence rate | Vulnerabilities that reappear after fix | <5% |
Compliance Requirements
Framework Mapping
| Requirement | ISO 27001 | SOC 2 | NIS2 | DORA | PCI DSS |
|---|---|---|---|---|---|
| Vulnerability scanning | A.8.8 | CC7.1 | Art. 21(2)(e) | Art. 9(2) | Req. 11.3 |
| Patch management | A.8.8 | CC7.1 | Art. 21(2)(e) | Art. 9(2) | Req. 6.3.3 |
| Risk-based prioritisation | A.8.8 | CC3.2 | Art. 21(2)(a) | Art. 9(1) | Req. 6.3.1 |
| Remediation tracking | A.8.8 | CC7.2 | Art. 21(2)(e) | Art. 9(2) | Req. 11.3.3 |
| Exception management | A.5.1 | CC3.2 | Art. 21(1) | Art. 9(1) | Req. 6.3.2 |
| Reporting to management | A.5.1 | CC4.2 | Art. 20 | Art. 13 | Req. 12.4 |
Audit Evidence
| Evidence Type | Description | Framework |
|---|---|---|
| Vulnerability management policy | Documented policy with SLAs and escalation paths | All frameworks |
| Scan reports | Regular scan outputs showing coverage and findings | All frameworks |
| Remediation tickets | Jira/ServiceNow tickets with timestamps and status | ISO 27001, SOC 2 |
| SLA compliance reports | Dashboard showing % fixed within SLA | All frameworks |
| Exception register | Documented risk acceptances with approvals | All frameworks |
| Trend reports | Month-over-month vulnerability counts and MTTR | SOC 2, NIS2 |
| Penetration test results | Annual penetration testing validating controls | ISO 27001, NIS2, DORA |
Common Mistakes
| Mistake | Impact | Fix |
|---|---|---|
| Scanning without remediation workflows | Accumulating unfixed vulnerabilities | Integrate with ticketing, assign ownership |
| Treating all vulnerabilities equally | Alert fatigue, misallocated resources | Implement risk-based prioritisation |
| Unauthenticated-only scans | Missing 40-60% of vulnerabilities | Deploy authenticated scanning |
| No asset inventory | Unknown scan gaps | Build and maintain automated asset discovery |
| Manual tracking in spreadsheets | Audit failures, lost visibility | Use a dedicated vulnerability management platform |
| Ignoring cloud and container workloads | Growing blind spots | Extend scanning to cloud, containers, IaC |
| No defined SLAs | No accountability for remediation | Document and enforce severity-based SLAs |
How Orbiq Supports Vulnerability Management
Orbiq helps you demonstrate vulnerability management controls to customers and auditors:
- Evidence collection — Centralise scan reports, remediation tickets, and SLA metrics
- Continuous monitoring — Track vulnerability management KPIs across your environment
- Trust Center — Share your vulnerability management posture via your Trust Center
- Compliance mapping — Map vulnerability management controls to ISO 27001, SOC 2, NIS2, and DORA requirements
- Audit readiness — Pre-built evidence packages for auditor review
Further Reading
- Penetration Testing — Validate vulnerability management effectiveness
- Cloud Security Posture Management — Cloud-specific vulnerability detection
- Incident Response — Handle exploited vulnerabilities
- Risk Management Frameworks — Broader risk context for vulnerability prioritisation
- Security Audit — Assess overall security posture including vulnerability management
- Supply Chain Security — Third-party vulnerability risks