Vulnerability Management (CIS Control 7)

CIS Control 7 requires a continuous and structured process for discovering, assessing and remediating vulnerabilities in an organisation's systems and software. The vast majority of successful cyberattacks exploit known vulnerabilities for which patches already exist.

Back to Dictionary

What is a vulnerability?

A vulnerability is a weakness in a system, application or process that an attacker could potentially exploit. Vulnerabilities are discovered on an ongoing basis and assigned CVE numbers (Common Vulnerabilities and Exposures), which provide a common reference and a CVSS score indicating severity.

Vulnerability scanning

Vulnerability scanning is the automated process of examining systems for known vulnerabilities by comparing installed software against databases of known weaknesses. CIS recommends automated scans run on a regular schedule – at least quarterly for IG1 and monthly for IG2.

Effective vulnerability scanning depends on a complete and accurate software inventory (CIS Control 2), as you cannot patch what you do not know exists.

Patch management

Patch management is the structured process of testing and installing security fixes (patches) from software vendors. A sound patch management process involves:

Monitoring vendor bulletins: Tracking security advisories from all software vendors in the organisation's inventory.
Testing before deployment: Validating patches in a test environment before rolling them out to production systems.
Documentation: Recording which patches have been installed, when, and on which systems.
Time-bound remediation: Defining deadlines for patching based on the severity of the vulnerability.

Time is critical: After a critical vulnerability is publicly disclosed, attackers typically begin exploiting it within days. CIS recommends that critical patches (CVSS 9+) are installed within 14 days.

CVSS and prioritisation

CVSS (Common Vulnerability Scoring System) provides a numerical score from 0 to 10 indicating a vulnerability's severity. The score is based on factors such as attack vector, attack complexity and potential impact. Scores above 7.0 are considered high or critical and should be prioritised accordingly.

Frequently Asked Questions about Vulnerability Management (CIS Control 7)

What is CIS Control 7?

CIS Control 7 covers continuous vulnerability management. It requires organisations to establish a structured process for discovering, assessing and remediating vulnerabilities in their systems and software.

What is vulnerability scanning?

Vulnerability scanning is the automated process of examining systems for known vulnerabilities by comparing installed software against databases of known weaknesses. CIS recommends regular automated scans at least quarterly for IG1.

What is CVSS?

CVSS (Common Vulnerability Scoring System) provides a numerical score from 0 to 10 indicating a vulnerability's severity. Scores above 7.0 are considered high or critical. It helps organisations prioritise which vulnerabilities to remediate first.

How quickly should critical vulnerabilities be patched?

CIS recommends that critical vulnerabilities (CVSS 9+) are patched within 14 days of disclosure. After public disclosure, attackers typically begin exploiting critical vulnerabilities within days.

How does vulnerability management relate to other CIS Controls?

Vulnerability management (Control 7) depends on accurate hardware and software inventories (Controls 1 and 2) and complements secure configuration (Control 4). Together these controls ensure that systems are known, properly configured and kept up to date.