Most organisations scan for vulnerabilities. Far fewer have a documented vulnerability management program. The scanner runs, generates a report with hundreds of findings, and the report sits in someone’s inbox until the next scan overwrites it. Critical vulnerabilities go unpatched for months. Nobody can explain the remediation SLAs. When the auditor asks for evidence of your vulnerability management process, you produce scan reports and hope that’s sufficient.
It isn’t. Auditors, insurers, and enterprise customers don’t want to see that you scan. They want to see that you have a defined process for identifying, prioritising, remediating, and tracking vulnerabilities — and that the process operates consistently with documented evidence.
What a Vulnerability Management Program Actually Requires
Policy: The Rules
A vulnerability management policy establishes organisational commitment and defines the program scope. It should cover: which systems are in scope (everything, ideally), scanning frequency requirements, remediation SLAs by severity, exception and risk acceptance criteria, roles and responsibilities, and reporting requirements.
The SLA definition is where most policies fail. “Critical vulnerabilities must be remediated promptly” is not a policy. “Critical vulnerabilities (CVSS 9.0+) must be remediated within 72 hours of identification. High vulnerabilities (CVSS 7.0–8.9) within 30 days. Medium (CVSS 4.0–6.9) within 90 days. Low within 180 days or next scheduled maintenance window” — that’s a policy an auditor can verify against your tracking data.
Exception handling is equally important. Not every vulnerability can be patched within the SLA. Legacy systems, vendor dependencies, change freeze periods, and operational constraints create legitimate exceptions. Your policy should define who can approve exceptions, maximum exception duration, required compensating controls, and documentation requirements.
Procedure: The Steps
The vulnerability management procedure translates policy into operational steps. A complete procedure covers the full lifecycle:
Discovery and scanning. Define scan targets, tool configuration, authentication requirements, scan schedules, and who initiates scans. Include both scheduled and ad hoc scanning triggers — new system deployments, significant changes, zero-day disclosures.
Analysis and prioritisation. Raw scanner output needs triage. CVSS scores provide a baseline, but organisational context matters. A medium-severity vulnerability on an internet-facing system handling customer data may warrant higher priority than a critical vulnerability on an isolated lab machine. Document the prioritisation criteria so decisions are consistent and defensible.
Remediation assignment and tracking. Who receives remediation tasks? How are they assigned? What information must the ticket contain? How is progress tracked? What happens when the SLA is about to expire? These steps prevent vulnerabilities from disappearing into the backlog.
Verification and closure. After remediation, how do you confirm the vulnerability is actually fixed? Rescanning is the obvious answer, but the procedure should specify when rescans occur, who validates the results, and what constitutes acceptable closure evidence.
Reporting. Who receives vulnerability metrics, at what frequency, and in what format? Operational teams need different information than executives and auditors. Define the reporting cadence and content for each audience.
Standards: The Technical Baseline
A patching and hardening standard complements the vulnerability management process by defining technical expectations. Patch deployment timelines by system type, approved patch sources, testing requirements before production deployment, rollback procedures, and system hardening baselines.
This standard bridges the gap between the vulnerability management policy and operational IT teams. The policy says “remediate within 30 days.” The standard says “Windows Server patches are deployed to the test environment within 7 days of release, validated for 5 business days, then deployed to production via WSUS with rollback capability.”
The Evidence Trail
Every step in the process should generate evidence. Scan reports with dates and scope. Prioritisation decisions with rationale. Remediation tickets with assignment dates, completion dates, and verification results. Exception approvals with justification and expiry dates. Monthly or quarterly metrics reports.
This evidence serves three purposes. First, it demonstrates the process operates to auditors, customers completing security questionnaires, and cyber insurers evaluating your risk posture. Second, it provides operational visibility into remediation velocity and chronic problem areas. Third, it creates accountability — when every vulnerability has an owner, an SLA, and tracking, the backlog shrinks.
Metrics That Matter
Effective vulnerability management programs track a small set of meaningful metrics rather than drowning in scanner statistics:
Mean time to remediate by severity. Are you meeting your SLAs? Trending better or worse? This is the primary health indicator.
Open vulnerability count by severity and age. How many vulnerabilities are currently past their SLA? This is the metric auditors care about most.
Scan coverage. What percentage of your asset inventory was scanned in the last 30 days? Gaps in coverage are gaps in visibility.
Exception count and age. How many active exceptions exist? Are they being reviewed and closed, or accumulating indefinitely?
Recurrence rate. Are the same vulnerabilities reappearing after remediation? This indicates systemic issues in patching or configuration management.
These metrics should be tracked in a structured workbook or dashboard, not extracted ad hoc from scanner reports when someone asks.
Common Failure Modes
No defined SLAs. Without remediation timeframes, everything is urgent (meaning nothing is). Define severity-based SLAs and enforce them.
Scanning without tracking. Generating scan reports without a tracking log means you can’t demonstrate remediation progress or identify chronic gaps.
No exception process. Vulnerabilities that can’t be remediated within the SLA accumulate silently. A formal exception process with compensating controls and expiry dates keeps these visible and managed.
Metrics without action. Dashboard numbers that nobody reviews or acts on are compliance theatre. Tie metrics to review meetings with defined escalation triggers.
Asset inventory gaps. You can’t manage vulnerabilities on systems you don’t know about. Vulnerability management depends on a current, comprehensive asset inventory.
From Ad Hoc to Auditable
The transformation from ad hoc scanning to a documented, evidence-generating vulnerability management program isn’t technically complex. The scanner doesn’t change. The patches don’t change. What changes is the governance wrapper: policy defining expectations, procedures defining steps, standards defining technical requirements, and tracking tools capturing evidence at every stage.
Most of this documentation can be established in days, not months. The ongoing discipline of following the process and maintaining the evidence trail is where the real work begins.
Ridgeline Cyber Defence provides the Vulnerability & Patch Management Toolkit — 8 documents including policy, procedures, hardening standard, vulnerability tracking log, exception register, and metrics dashboard. Mapped to NIST CSF 2.0, ISO 27001, and CIS Controls v8.
Related Reading
- Risk Management Program: Assessment, BIA & Vendor Risk
- Starting a GRC Program: The Minimum Documentation You Need
Vulnerability & Patch Management Toolkit
Complete VM lifecycle from discovery to remediation.
Implementation Services
Need this customised to your organisation?
We'll customise any product to your organisation and deliver in 1–2 weeks. Fixed price, fully async. You review it, your team runs it.
Foundation $1,997 · Toolkit $2,997 · Suite $5,997 · Program $8,997
Get compliance insights and product updates
Product launches only · No spam · Unsubscribe anytime