Requirement
Essential Cybersecurity Controls (ECC – 2 : 2024) - Control - 2-10-1 – Cybersecurity requirements for technical vulnerabilities management must be defined, documented and approved.
Understanding the Requirement
This control from the Essential Cybersecurity Controls (ECC – 2 : 2024) requires your organization to have a formal, documented vulnerabilities management policy that is approved by executive management. The policy should set clear requirements for vulnerability assessment and testing across all technology assets, define how often scans and tests occur, establish a vulnerability classification (severity) scheme, and mandate the tools and methods the organization will use to identify and remediate issues. Executive sponsorship and documented approval are required to demonstrate organizational commitment and enable resourcing and enforcement.
Technical Implementation
-
Draft a concise Vulnerability Management Policy that covers scope, objectives, roles and responsibilities, and approval. Include: which asset types are in scope (servers, endpoints, network devices, cloud workloads, web apps), who owns remediation tasks, and how exceptions are handled.
-
Define scanning and testing requirements: schedule authenticated network and host scans at least monthly for production systems, weekly or continuous scanning for internet-facing assets, and on-demand scans after major changes or incidents. Require annual penetration tests for business-critical apps or after major releases.
-
Adopt a severity classification and SLAs: map scan results to severity levels (e.g., Critical/High/Medium/Low) and set remediation targets—critical within 72 hours, high within 7 days, medium within 30 days, low as part of regular maintenance—with documented risk acceptance for any delayed remediation.
-
Specify approved tools and methods: list approved scanners (e.g., authenticated vulnerability scanners), configuration hardening checks, patch management processes, and procedures for web-application testing. Standardize reporting formats and minimum evidence required to close findings (patch IDs, configuration change tickets).
-
Integrate with asset inventory and ticketing: require all assets to be listed in the CMDB/asset register and ensure scan results create tickets in your ITSM or issue tracker with assigned owners, due dates, and workflow for verification and closure.
-
Obtain executive approval and enforce governance: have the head of the organization or deputy formally approve the policy, and schedule quarterly reviews with executive owners to report metrics (scan coverage, open vulnerabilities by severity, SLA attainment) and obtain resource commitments.
Example in a Small or Medium Business
A 75-person managed services firm creates a Vulnerability Management Policy that names the CTO as the executive sponsor and lists all servers, workstations, network devices, and customer-facing web applications in scope. The policy mandates monthly authenticated scans for internal systems and continuous scanning for all public IPs, with critical findings required to be mitigated within 72 hours and high risks within one week. The IT team configures its vulnerability scanner to integrate with their ticketing system so that each finding generates a remediation ticket assigned to the asset owner. Patch deployment is automated for endpoints using the existing endpoint management tool; network device fixes follow documented change windows and rollback plans. For findings that cannot be immediately remediated (legacy devices or vendor-dependent fixes), the CTO signs a documented risk acceptance that includes compensating controls such as network segmentation and increased logging. Each quarter the IT manager presents a dashboard to executive management showing scan coverage, outstanding high/critical vulnerabilities, and time-to-remediate metrics; the executives sign off on any resource requests required to reduce risk further.
Summary
By documenting a vulnerabilities management policy that defines scope, scan frequency, severity classification, remediation SLAs, approved tools, and executive approval, SMBs create a clear, enforceable program. Combining this policy with technical measures—regular scans, integration with asset inventory and ticketing, automated patching, and governance reviews—ensures vulnerabilities are identified, prioritized, and remediated in a timely, auditable way that meets Control 2-10-1.
