Terug naar overzicht

SB.18.001 Vulnerability Registration and Resolution

System Owner
v2.0 (Q1 2024)
Vulnerability Management

A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and the current status of the vulnerability. Vulnerabilities can be ‘resolved’, ’mitigated’ or ‘accepted’. If the vulnerability is ‘mitigated’, a new risk estimation needs to be done for the mitigating measures in place.

After resolution, resolved vulnerabilities need to remain registered for 1 year.

The organisation shall establish maximum resolution time of vulnerabilities based on the associated risk. There is monitoring on the timely resolution of vulnerabilities.


Vulnerabilities are scanned and reported with a vulnerability scanner from a preferred supplier. System owners can ask for access to administer detected vulnerabilities. All production servers must be connected to this central scanning solution.

Vulnerabilities are treated based on the risk-estimate of found vulnerabilities according to the CVSS score of the vulnerability and their the estimate of the risk-context:


Critical        Medium     High          Critical         Critical
High             Low            Medium    High             Critical
Medium      Low            Medium    Medium       High
Low               Low            Low           Medium        Medium

                      Low          Medium  High            Critical
                      [0-3.9]     [4-6.9]    [7-8.9]         [9-10]
CVSS-Score of the vulnerability

For external suppliers, the risk-context is the highest of the AIC-ratings of the classification (where Low = Low, Basic = Medium, Sensitive = High and Critical = Critical).

If CVSS-score is not yet available, a professional estimation is made based on the ease of exploitation, exposure of the vulnerability, observed exploitation internally and externally and the potential impact of the vulnerability.

Vulnerabilities need to be resolved depending on their risk-estimate and the following resolution times:

Risk-estimate Maximum resolution time:

  • Critical: 3 working days
  • High: 2 weeks
  • Medium: 3 months
  • Low: Best effort

ISO 27001 & 27002:2022


SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)

SM.06 Patch management
SM.07 Threat en Vulnerability Management