AlignTrust
Operations & Governance

Vulnerability Management

The continuous process of identifying, classifying, prioritising, and remediating security vulnerabilities across an organisation's systems and software.

What Is Vulnerability Management?

Vulnerability management is the ongoing process of discovering and addressing security weaknesses — known as vulnerabilities — in an organisation's IT systems, software, and infrastructure. It's a continuous cycle, not a one-time activity, because new vulnerabilities are discovered daily.

Unpatched vulnerabilities are the primary target for opportunistic attackers. The Cyber Security Breaches Survey (UK) consistently finds that failure to apply software updates is one of the most common factors enabling breaches.

The Vulnerability Management Lifecycle

1. Discovery: Identify all assets in your environment — servers, endpoints, cloud instances, network devices, applications. You can't find vulnerabilities in assets you don't know about.

2. Scanning: Run automated vulnerability scans using tools like Tenable Nessus, Qualys, or OpenVAS. Scans identify known vulnerabilities based on CVE (Common Vulnerabilities and Exposures) databases.

3. Assessment and prioritisation: Not all vulnerabilities are equal. Use CVSS (Common Vulnerability Scoring System) scores and business context to prioritise:

  • Critical / High: Patch immediately (within 24–72 hours)
  • Medium: Patch within 30 days
  • Low: Include in regular maintenance cycles

4. Remediation: Apply patches, update software versions, reconfigure affected systems, or deploy compensating controls where immediate patching isn't possible.

5. Verification: Rescan after remediation to confirm the vulnerability is resolved.

6. Reporting: Track vulnerability trends, mean time to remediate, and patch coverage over time.

Patch Management vs Vulnerability Management

These terms are often used interchangeably but differ in scope:

  • Patch management: The process of deploying software updates and patches
  • Vulnerability management: The broader process including discovery, risk scoring, prioritisation, and tracking — patching is one remediation action within it

Getting Started for SMBs

  1. Maintain an accurate asset inventory
  2. Enable automatic updates for operating systems and commonly exploited software (browsers, Office, Java)
  3. Run a vulnerability scan quarterly, or monthly for internet-facing systems
  4. Focus patching effort on externally accessible systems first
  5. Track unpatched Critical/High CVEs as security risks in your risk register

Related Terms

Security Risk AssessmentPenetration TestingCloud Security
← Back to Security Glossary