What is Vulnerability Management

Vulnerability Management: Is Your Organization Covered?

An information security program is comprised of many different layers and sub-programs that all work in unison to cover specific threats and areas. One important aspect of any comprehensive information security program is a vulnerability management program.

What is Vulnerability Management?

The ISO 27002 defines a vulnerability as “a weakness of an asset or group of assets that can be exploited by one or more threats.” Vulnerability management involves a never-ending cycle of identifying, classifying, remediating, and mitigating those weaknesses. Because cyber-security threats are constantly moving and changing, once the process is complete, it starts over again to identify new threats or discover how old ones may have evolved.

Vulnerability Management Program Processes

A vulnerability management program consists of four main processes: discovery of risks, reporting, prioritizing those risks and deciding how to respond to them. Let’s discuss each process in a bit more detail.


In order to protect your organization’s assets, it’s key to understand what those assets are and where they’re located. This is what happens in the discovery phase of vulnerability management. The discovery phase allows you to categorize the various assets into different classes that will enable you to better prioritize risks should one occur.

A thorough scan of the environment will help reveal any vulnerabilities that exist in the environment. It’s important to understand that when using vulnerability scanning products, various products can produce different results when used with their default settings. Each product must be properly configured in order to limit false positive and to help avoid system disruption.


This step helps you organize the data found during the discovery phase. It’s especially useful for communicating pertinent information to management and other personnel outside of the information security team. Reporting will help you prioritize the various assets located in the environment, which will help you prioritize any current or potential risks – which is the next step in the vulnerability management process.


Every risk doesn’t demand an emergency response. This is why prioritizing assets is essential; it helps you put risks in perspective to better understand whether you need to remediate, mitigate, or simply accept the risk. Data assets that are currently in a test environment, for example, won’t be as high of a priority as those that are in production. Determining the appropriate action to take in regards to various risks and assets will help your organization respond more quickly and effectively when serious risks arise.


Once your team has decided on a course of action, the final step in the vulnerability process is to take that action. This could include installing patches to remediate a risk or mitigating it by installing a web application firewall. If the asset owner or management of an organization determines that a risk should be accepted, there should be a risk acceptance process in place to document this.

The vulnerability management process must be repeated – and repeated often – in order for the data to be current and up-to-date. Whether scans should be run daily or weekly will vary from one organization to the next.

Vulnerability Management Program

Do you have questions or concerns about your organization's information security or vulnerability management program?

Contact the team at CISOSHARE to learn more!

let us know how we can support you!