Vulnerability management
Vulnerability management is the continuous process of systematically identifying technical vulnerabilities in IT systems, assessing their risk and remediating them in a timely manner.
Vulnerability management is the structured, continuous process by which an organisation discovers, assesses and deliberately eliminates technical vulnerabilities in its IT systems, applications and networks. A vulnerability is any characteristic of a system that can be exploited by a threat, such as flawed program code, an insecure configuration or a missing security update. Vulnerability management is not a one-off project but a recurring cycle of detection, assessment, treatment and control that is closely linked to asset management, patch management and the wider information security risk management.
The process starts with identification: automated vulnerability scans, penetration tests and the evaluation of vendor and government advisories (for example CVE databases or warnings issued by the German Federal Office for Information Security, the BSI) reveal vulnerable components. In the subsequent assessment, each vulnerability is prioritised according to its technical severity, typically measured using the Common Vulnerability Scoring System (CVSS), as well as the actual protection requirement and exploitability in the specific environment. Remediation is then carried out on a risk-oriented basis by applying patches, changing configurations, hardening systems or introducing compensating controls; finally, the effectiveness of the remediation is verified and documented.
Vulnerability management is a core requirement of common security standards and regulatory frameworks. ISO/IEC 27001 requires, in Annex A (Control 8.8 "Management of technical vulnerabilities"), that information about technical vulnerabilities be obtained in a timely manner and handled appropriately; the BSI IT-Grundschutz addresses it in module OPS.1.1.3 (patch and change management). With the NIS2 Directive and its transposition into German law, adequate vulnerability and patch management becomes mandatory as part of the risk management measures for essential and important entities, including procedures for vulnerability disclosure. Documented vulnerability management is therefore a prerequisite for compliance and for meeting management's duties.
Legal Basis
ISO/IEC 27001:2022 Annex A 8.8; BSI IT-Grundschutz OPS.1.1.3; Art. 21 NIS2 Directive (EU) 2022/2555
Practical Example
The information security officer of a mid-sized mechanical engineering firm runs a monthly automated vulnerability scan across all servers and clients. The scan reports a critical vulnerability (CVSS 9.8) in a publicly accessible application. She prioritises the finding based on the high protection requirement and the internet exposure, assigns the IT department a 48-hour remediation deadline via the ticketing system, has the available security patch applied, and then verifies with a re-scan that the gap is closed. She documents the entire process in an audit-proof manner as evidence for the next ISO 27001 audit.