Vulnerability management is a key component in planning for and determining the appropriate implementation of controls and the management of risk. It is reasonable to say that vulnerability management is central to cyber resilience. The topics of the other CRR domains provide information about vulnerable conditions (Asset Management, Configuration and Change Management, External Dependencies Management, and Situational Awareness) or provide for a response to the vulnerable conditions (Controls Management, Incident Management, Service Continuity Management, Risk Management, and Training and Awareness).
Vulnerability management assures that the organization understands its weaknesses so that it can plan
accordingly.
Exploitation of a vulnerability by a threat results in a risk to the organization. Expanding the discussion from what are the vulnerabilities to how vulnerable is the organization to disruption or what is the impact of exploiting this vulnerability moves beyond the domain of vulnerability management into a discussion of risk management. It is in risk management that we seek to quantify the impact of a realized hazard. This context is discussed more completely in the Risk Management Resource Guide, Volume 7 of this series. An organization’s resolution of vulnerabilities and its disposition of risk overlap to a large degree. This resource guide will discuss aspects of risk management as required to clarify the analysis, categorization, and resolution of vulnerabilities.
During the vulnerability management process, the organization may often discover vulnerabilities that lead it to develop requirements and criteria for controls. During the controls management process, the organization develops, implements, and improves the controls that mitigate the effect of a hazard. The Controls Management Resource Guide, Volume 2 of this series, discusses controls that mitigate the effect of a hazard.
