psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5eade2d99bef262cef5be6d01dc0bbbc9119b82e
ISMS/03-procedures/vulnerability-management-procedure.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.9 KiB
Raw Blame History

Title: Vulnerability Management Procedure Document ID: [PROC-VULN-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CISO (Paul Jenkins) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Vulnerability Management Procedure

Purpose

This procedure defines how BlackDice should identify, assess, prioritise, track, and close vulnerabilities affecting in-scope assets and services.

Scope

This procedure applies to applications, infrastructure, cloud services, Kubernetes environments, endpoints, dependencies, and other in-scope technology assets.

Trigger / When Used

Use this procedure when:

  • new vulnerabilities are identified
  • periodic scanning or review takes place
  • supplier notifications or intelligence indicate exposure
  • incidents, audits, or testing reveal security weaknesses

Procedure Steps

  1. Collect vulnerability findings from approved sources such as scanning, review, supplier notifications, or manual assessment.
  2. Validate the finding and identify the affected asset, service, version, environment, and owner.
  3. Assess severity using technical characteristics, business context, exposure, exploitability, and service criticality.
  4. Determine the remediation approach, such as patching, configuration change, code fix, compensating control, or risk acceptance.
  5. Record the finding, owner, target date, and status in the approved tracking mechanism.
  6. Prioritise remediation for externally exposed services, production workloads, identity systems, CI/CD components, and high-impact assets.
  7. Verify remediation or compensating control implementation before closure.
  8. Escalate overdue, high-risk, or disputed findings as required.

Inputs

  • vulnerability findings
  • asset and owner information
  • severity and business context
  • remediation guidance where available

Outputs / Records

  • vulnerability tracking record
  • remediation actions
  • exception or risk acceptance record where applicable
  • closure evidence

Roles and Responsibilities

  • [Role] must oversee the vulnerability management process.
  • System and service owners must remediate findings affecting their assets.
  • Security or platform reviewers must support validation and prioritisation where required.

Escalation / Exceptions

Escalate where:

  • a high-risk issue affects production or exposed services
  • remediation is overdue or blocked
  • there is disagreement on severity or ownership
  • a workaround is used instead of full remediation

Exceptions and accepted risks must be documented and approved appropriately.

Related Documents

  • Vulnerability and Patch Management Policy
  • Patch Management Procedure
  • Secure Configuration Standard
  • Risk Assessment Procedure

Version Control

Version Date Description of Change Author
0.1 Draft [DD Month YYYY] Initial draft. [Name or Role]
Reference in New Issue View Git Blame Copy Permalink