← Glossary·Security

Vulnerability Management

SOC 2ISO 27001PCI DSSHIPAA

Continuous discover-prioritise-remediate cycle for software vulnerabilities (CVEs) and misconfigurations.

Vulnerability Management is the continuous process of identifying (scans), prioritising (CVSS, EPSS, business context), and remediating (patch, mitigate, accept) vulnerabilities across infrastructure, applications, and dependencies.

Why it matters
Most frameworks expect documented SLAs (e.g. critical ≤7 days, high ≤30) and evidence of remediation. CISA KEV inclusion is now a de facto override on stated SLAs.

Related terms

Patch Management
Process of applying vendor security updates to systems within defined SLAs.
Penetration Test (Pen Test)
Authorised offensive simulation of an attacker to identify exploitable vulnerabilities.
SIEM
Platform aggregating, correlating, and alerting on security log data across an environment.

Does your program actually cover Vulnerability Management?

Run a free ComplianceIQ audit against SOC 2 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free SOC 2 auditBack to glossary