Vulnerability Management · Preparation Kit

Vulnerability Management Program Readiness

Vulnerability management program preparation materials, from vulnerability scanning, patching process, to remediation SLA. Required in ISO 27001 (A.8.8), SOC 2 (CC7.1), PCI-DSS (Req 6, 11).

Get pTrackly support →

1. Vulnerability Scanning

  • Choose vulnerability scanner: Nessus, Qualys, Rapid7 InsightVM, OpenVAS
  • Scan frequency: internal weekly, external quarterly (PCI-DSS requires quarterly)
  • Scope: all production systems, staging if PHI/CHD present
  • Authenticated scan vs unauthenticated, authenticated provides more accurate results

2. Vulnerability Prioritization

  • CVSS score: Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9)
  • Consider exploitability: public exploit available? Exploited in the wild?
  • Asset criticality: vulnerability on production critical system → higher priority
  • Business context: internet-facing system → higher than internal-only

3. Remediation SLA

  • Critical: patch within 7 days (PCI-DSS requires 30 days but best practice is 7)
  • High: 30 days
  • Medium: 90 days
  • Low: normal maintenance cycle
  • If patching not possible: compensating control (WAF, network segmentation, disable service)

4. Patch Management Process

  • Patch testing: test patch on staging before production deployment
  • Emergency patching process for critical zero-day vulnerabilities
  • Rollback plan if patch causes breaking changes
  • Document patching activity: which patch, when, who applied, any downtime

5. Exception & Compensating Controls

  • When exception needed: patch breaks critical functionality, vendor hasn't released patch
  • Compensating control examples: WAF rule, IPS signature, restrict network access
  • Exception approval: senior management + security team
  • Review exceptions quarterly, can it be patched now?

6. Metrics & Reporting

  • Mean Time to Remediate (MTTR) per severity level
  • % vulnerabilities remediated within SLA
  • Open vulnerability count trend, increasing or decreasing?
  • Monthly vulnerability report to senior management

pTrackly helps you implement Vulnerability Management faster with ready-made templates and automated evidence collection.

Get Free Demo

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo