Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-10-2 – The cybersecurity requirements for technical vulnerabilities management must be implemented.
Understanding the Requirement
This control requires an organization to implement an approved vulnerabilities management program that detects, classifies, addresses, and escalates technical vulnerabilities in a consistent way. As part of the Essential Cybersecurity Controls (ECC – 2 : 2024), the program should include periodic assessments, severity classification, defined remediation procedures tied to risk, an escalation mechanism, and linkage between vulnerability management and patch management. The goal is to ensure vulnerabilities are found, prioritized, remediated, tracked, and verified in line with the organization's risk tolerance and business needs.
Technical Implementation
-
Document a Vulnerability Management Policy and Procedures: Create a short, approved policy that defines scope (assets, networks, cloud services), roles and responsibilities (who scans, who triages, who approves remediation), frequency of activities, and key metrics (time-to-detect, time-to-remediate, percent verified). Keep the procedure practical for SMB scale—use plain language and a single owner for operations (IT lead or managed service).
-
Regular, Scheduled Scanning and Discovery: Run authenticated vulnerability scans on a schedule (e.g., external perimeter weekly or biweekly; internal critical systems monthly; less critical systems quarterly). Combine automated scans with agent-based discovery where possible to cover cloud workloads and remote endpoints. Maintain an up-to-date asset inventory so scans focus on in-scope systems.
-
Severity Classification and Risk-Based Prioritization: Adopt a consistent severity model (e.g., CVSS v3 plus business impact). Map severity levels to concrete remediation SLAs—example: Critical/High = patch or mitigate within 7 days, Medium = 30 days, Low = 90 days. Include compensating controls (isolate system, apply firewall rule, temporary configuration change) when immediate patching isn’t possible.
-
Triage, Ticketing, and Escalation Workflow: Integrate scan results into your ticketing system (Jira, ServiceNow, or a managed provider dashboard). Define triage steps: verify false positives, assign owner, set SLA, and identify mitigation steps. Create an escalation path for items that miss SLAs—notifications to IT manager, then CTO/owner, and board-level reporting for sustained high-risk exposures.
-
Link to Patch Management and Change Control: Ensure vulnerabilities that require software updates are routed into your patch management process with approved change windows. For SMBs, define emergency patching rules to bypass normal windows for Critical vulnerabilities, with post-change testing and rollback plans. Keep evidence of patching and post-remediation scans for audit and review.
-
Verification, Measurement, and Continuous Improvement: Perform rescans to confirm remediation, maintain a vulnerability dashboard (counts by severity, aging tickets), and hold a monthly review to validate process metrics and tune scanning scope. Use lessons learned to update asset inventory, adjust scan frequency, and improve classification rules.
Example in a Small or Medium Business
A 45-person managed services SMB runs a mix of cloud-hosted applications and three on-premises servers. The IT lead establishes a short Vulnerability Management Procedure and schedules authenticated internal scans monthly and external scans weekly using a cloud-based scanner. Scan results are automatically imported into the company’s ticketing system where the IT lead triages, verifies false positives, and assigns remediation tickets. The organization maps CVSS scores to SLAs: Critical within 7 days, High within 14 days, Medium within 30 days, and Low within 90 days. For critical vulnerabilities that affect public-facing systems, the team applies an emergency patching process tied to the change control board and documents rollback steps. If a critical item is not resolved within the SLA, the system triggers an escalation email to the CTO and the owner schedules a remediation meeting. After remediation, the IT lead performs a rescanning step to confirm the fix and closes the ticket only when verification is successful; monthly reports track trends and inform decisions to increase scan frequency or update compensating controls.
Summary
Implementing an approved vulnerability management program combines straightforward policy with repeatable technical actions: regular scanning and discovery, consistent severity classification, risk-based remediation SLAs, a ticketing and escalation workflow, and close integration with patch management. For SMBs this means defining clear ownership, automating where possible, and focusing on verification and measurable SLAs so vulnerabilities are not just found but reliably remediated and tracked. These measures together meet the control by turning detection into timely, accountable remediation that reduces exposure and supports business continuity.
