You find, prioritize, and fix vulnerabilities on a timeline.
What it actually means
Unpatched systems are how most breaches happen, so this is weighted heavily. You need a real process: identify vulnerabilities (patch management + scanning), prioritize them, and fix them on a defined timeline — not 'whenever someone gets to it.'
Pass or fail — an assessor needs a "yes" to each
- A patch/vulnerability-management process exists with timelines.
- Patches are applied across in-scope systems, tracked to completion.
- Flaws are identified (updates + vulnerability scanning) and remediated.
What to have ready
- Patch-management policy with SLAs
- Patch/vuln-scan reports showing remediation
- Tooling configuration (WSUS/Intune/3rd-party)
Where teams trip up
- Ad-hoc patching with no timeline or tracking
- Servers or appliances left out of the patch process
- Scanning but never closing findings
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →