GRC 101: Vulnerability Management

Chain link that is breaking

Table of contents

Vulnerability management will be crucial to the future of many organizations. To keep up with the rate of change, a sense of urgency must be present. We want to cover the basics in this post, so you are better prepared to undertake your vulnerability management journey.

Vulnerability management is the process of identifying, assessing, and mitigating risks and vulnerabilities. It is an essential part of risk management, encompassing all aspects of managing risks to protect business assets. Vulnerabilities can come in many forms: a flaw in a software system that could leave your organization exposed to an attacker, or human errors, such as clicking on phishing emails that let in attackers.

Typically, security teams use a vulnerability management tool or solution to detect vulnerabilities and then action various processes to fix, patch, or remediate.

Robust vulnerability management solutions use a combination of threat intelligence and IT and business knowledge to review and prioritize risks so that the right individuals can address vulnerabilities as quickly as possible.

What are Vulnerabilities, Risks, and Threats?

To understand the vulnerability management landscape, you need to have a solid understanding of these three concepts:

The International Organization for Standardization (ISO 27002) defines vulnerability as “a weakness of an asset or group of assets that can be exploited by one or more threats.”

A threat is someone or something that exploits this point of weakness; threats attack vulnerabilities.

A risk occurs when that threat exploits a vulnerability and creates damage.

Vulnerability management is not vulnerability assessment! Vulnerability management is an ongoing process.

The Vulnerability Management Process

For your vulnerability management process to succeed, you need to understand what vulnerabilities are, how those vulnerabilities may be exploited, and who might exploit them. You also need a method for identifying new vulnerabilities that arise and an effective way to mitigate them.

There are two main phases when performing vulnerability management. The first is the pre-work phase, with five steps to review, assess, define, and measure all current infrastructure, resources, processes, and tools to identify gaps.

Vulnerability Management Pre-Work

  1.     Determine program scope
  2.     Define roles and responsibilities
  3.     Select vulnerability assessment solution and tools
  4.     Create standard policies and service level agreements (SLAs)
  5.     Identify all asset and context resources

Some of the typical questions answered during this phase are:

  • Which asset types will be measured for vulnerabilities?
  • Of those assets, which ones receive priority?
  • How often should you assess vulnerabilities?
  • Ranking of the most critical assets or hosts.
  • Who should manage and how should this program be managed?
  • What roles and responsibilities do they have?
  • What are the key policies and SLAs that need to be in place?
  • What vendors, tools, or solutions are needed?

An organization’s vulnerability management strategy can be a risk assessment tabletop exercise or a formal program or software as a service solution with standardized tools and processes for identifying vulnerabilities. This solution-based approach saves organizations time by helping identify vulnerabilities before an attacker exploits them.

Once you have finished the pre-work phase and have a plan and a solution in place, you enter the execution phase of vulnerability management. This phase consists of five steps:

  1.     Review and assess
  2.     Prioritize and rank
  3.     Act or mitigate
  4.     Confirm and reassess
  5.     Improve and document

Whether it is a single person or a tool, businesses must establish controls for ongoing vulnerability management. Shelving the steps above for a later time will only incur the possibility of more vulnerabilities, risks, and threats and decrease the ability of successful mitigation. 

Impact of Vulnerability Management

Vulnerabilities are usually caused by the failure to follow the steps in this phase or simply a lack of assigning the appropriate tasks to the proper tool or person. Ignoring vulnerability management means opening you and your business to risks of hackers and other criminal cyberattacks.

Internal users can also introduce vulnerabilities by adding new and unapproved apps technology that the IT team has not yet confirmed. For this, choosing a service or solution is paramount to detect or prevent any negative side effects before it reaches a stage where the entirety of your organization is using it.

Challenges When Implementing Vulnerability Management

The main challenge when deploying vulnerability management is that it can be time-consuming and complicated for companies to find, assess, and remediate vulnerabilities themselves.

A good indicator is if you need help with the vulnerability management pre-work steps and processes. If this is the case, then implementing vulnerability management software that can automate the discovering, fixing, and remediation of such vulnerabilities is your best option.

Whether using third-party vulnerability management software or an internal manual process, you cannot just place guards on the doors and adequately store the keys. You need a robust and "best-in-class" vulnerability management solution provider like LogicGate. 

LogicGate’s Vulnerability Management Solution

Risk Cloud’s Vulnerability Management Application can help you and your organization go from pre-work steps to execution to monitor and address vulnerabilities and ensure timely treatment and mitigation.

Our best-in-class Application captures vulnerability data on impacted assets and ranks the severity of risks to help you mitigate before it is too late. To see the Vulnerability Management Application in action, request a demo or visit us at

Further Reading

GRC Insights Delivered to your Inbox