Vulnerability Management Program Checklist

· DocumentChecklist · Checklist · Updated 2026-05-15

By Dragons Community Vulnerability Management Team· vulnerability-management · checklist · program

A vulnerability management program is only as good as the discipline behind it, and this checklist is built to test that discipline. Use it to stand up a new program or to audit an existing one against current best practice. Each section opens with a short statement of intent and then provides concrete, verifiable items an assessor can mark as met, partial or not met. The emphasis throughout is risk-based prioritisation using real-world signals such as EPSS, the CISA Known Exploited Vulnerabilities catalog and asset context, rather than chasing raw CVSS scores. Work through every section and treat any unchecked item as a tracked improvement action with an owner.

Asset Inventory and Discovery

You cannot protect what you cannot see, so a trustworthy asset inventory is the foundation of the whole program. The goal of this section is to confirm that the organisation knows what exists, who owns it, and how critical it is. Gaps here cascade into every downstream metric, because unknown assets are simply unscanned and unpatched.

Pay particular attention to ephemeral and shadow assets such as cloud instances, containers and unmanaged devices, which routinely fall outside traditional inventories.

▸Maintain an authoritative asset inventory covering on-prem, cloud, container and remote endpoints.
▸Reconcile the inventory using at least two independent sources (for example agent data plus network discovery).
▸Run automated discovery on a defined cadence to catch new and ephemeral assets.
▸Record a business criticality rating and a named owner for every asset.
▸Track data sensitivity and internet exposure as attributes on each asset.
▸Measure and report the percentage of assets covered by scanning to surface blind spots.
▸Flag and investigate unmanaged or unauthorised devices appearing on the network.

Scanning Coverage and Cadence

Scanning is how the program actually sees vulnerabilities, so both its breadth and its frequency matter. The goal here is to confirm that scans reach every asset class with appropriate depth and run often enough to keep pace with change. Authenticated scans in particular reveal far more than unauthenticated ones and should be the default for managed systems.

Match cadence to asset risk. Internet-facing and critical systems warrant more frequent assessment than low-risk internal devices.

▸Run authenticated (credentialed) scans on managed systems wherever feasible.
▸Scan internet-facing assets at least weekly and critical internal assets on a defined schedule.
▸Cover the full estate: servers, endpoints, network devices, cloud workloads, containers and web applications.
▸Integrate scanning into CI/CD and container image builds to catch issues before deployment.
▸Keep scanner plugins and vulnerability feeds updated automatically.
▸Validate scan completeness against the asset inventory and investigate unscanned assets.
▸Tune scan configurations to balance coverage against operational impact on sensitive systems.

Risk-Based Prioritization

With more vulnerabilities than any team can fix at once, prioritisation is where a mature program earns its keep. The objective is to focus remediation on the vulnerabilities most likely to be exploited against the assets that matter most. Raw CVSS severity alone is a weak predictor of real risk and should never be the sole driver.

Combine threat signals with asset context. A medium-severity flaw on an internet-facing crown-jewel system can far outrank a critical one on an isolated test box.

▸Enrich every finding with EPSS exploitation probability scores.
▸Cross-reference findings against the CISA Known Exploited Vulnerabilities (KEV) catalog and treat KEV entries as top priority.
▸Factor in asset criticality, internet exposure and data sensitivity when ranking.
▸Incorporate threat intelligence on active exploitation and available proof-of-concept code.
▸Define a documented, repeatable prioritisation formula rather than relying on ad hoc judgement.
▸Automatically escalate any KEV-listed or actively-exploited vulnerability on an exposed asset.
▸Review and recalibrate the prioritisation model periodically against actual exploited incidents.

Remediation Workflow and SLAs

Finding vulnerabilities means nothing without a reliable path to fixing them. This section confirms that there is an owned, tracked workflow moving findings from discovery to verified closure within agreed timeframes. Clear SLAs tied to risk turn prioritisation into accountable action.

Verify fixes rather than trusting them. A vulnerability is only closed once a rescan or test confirms the remediation actually worked.

▸Define remediation SLAs by risk tier (for example critical 7 days, high 30 days, medium 90 days).
▸Apply accelerated SLAs to KEV-listed and actively-exploited vulnerabilities.
▸Route findings automatically into the ticketing system with a clear owner for each.
▸Track remediation progress and surface overdue items to management.
▸Verify every fix with a rescan or targeted test before closing the finding.
▸Establish an emergency patch process for critical, actively-exploited issues.
▸Measure and report mean time to remediate by severity tier.

Exceptions and Compensating Controls

Some vulnerabilities cannot be patched promptly because of operational, compatibility or business constraints. The goal of this section is to ensure those cases are handled through a disciplined, time-bound exception process rather than quietly ignored. Every exception should reduce, not hide, the underlying risk.

Require compensating controls and an expiry date for each exception so that risk acceptance is explicit, owned and revisited.

▸Provide a formal exception request process with documented business justification.
▸Require an appropriate risk owner to approve every exception based on its risk level.
▸Document compensating controls (segmentation, virtual patching, monitoring) for each exception.
▸Set a mandatory expiry date so no exception becomes permanent by default.
▸Maintain a central register of all active exceptions with owners and review dates.
▸Re-review exceptions on expiry and whenever the threat landscape changes (for example new KEV entry).
▸Report aggregate accepted risk from exceptions to leadership.

Metrics and Reporting

Metrics make the program visible, measurable and improvable. The objective here is to confirm that the team tracks meaningful indicators of risk and performance and reports them to the right audiences. Good metrics drive behaviour, so choose ones that reward genuine risk reduction rather than mere activity.

Tailor reporting to its audience. Executives need risk and trend, while operational teams need actionable, asset-level detail.

▸Track mean time to detect and mean time to remediate, broken down by severity.
▸Report scanning coverage and the count of known blind spots.
▸Trend open vulnerabilities and SLA compliance over time, not just point-in-time totals.
▸Highlight KEV-listed and actively-exploited exposures as a distinct headline metric.
▸Produce audience-specific reporting for executives, asset owners and auditors.
▸Maintain dashboards that allow drill-down from program totals to individual assets.
▸Review metric trends in regular program governance meetings and act on regressions.

Program Governance

Governance is what keeps the program funded, mandated and continuously improving rather than drifting. The goal of this section is to confirm there is clear ownership, documented policy and management support behind the operational work. Without governance, even a technically strong program decays over time.

Tie the program to recognised frameworks and review it on a schedule so it evolves with the organisation and the threat landscape.

▸Maintain a documented vulnerability management policy approved by management.
▸Assign clear program ownership with defined roles and responsibilities.
▸Align the program to a recognised framework (for example NIST CSF, CIS Controls or ISO 27001).
▸Secure budget and tooling commensurate with the size of the estate.
▸Review the program formally at least annually and after significant incidents.
▸Integrate vulnerability management with change, asset and incident response processes.
▸Provide periodic awareness and training to system owners on their remediation duties.

References