Which of the following approaches provides the BEST basis for prioritizing remediation of vulnerabilities discovered during a security assessment?
Address vulnerabilities in the order they were reported by the scanning tool.
Remediate only the vulnerabilities that external auditors flag as non-compliant.
Prioritize vulnerabilities strictly by their numerical severity rating (e.g., CVSS score) produced by automated scanners.
Combine technical severity with asset criticality, exposure, business impact, exploit likelihood, and existing controls to create a risk-based ranking.
The most effective way to decide what to fix first is to use a risk-based approach that combines the technical severity of each vulnerability with contextual information such as asset criticality, exposure, exploit likelihood, business impact, data sensitivity, and any compensating controls. Relying on scanner scores alone (or on ticket order, audit findings, or other single-factor methods) can divert resources to issues that matter less to the organization while leaving higher-risk weaknesses unaddressed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are CVSS scores and how are they used in vulnerability management?
Open an interactive chat with Bash
What is meant by 'business context' in vulnerability remediation prioritization?
Open an interactive chat with Bash
What are 'compensating controls' and how do they influence vulnerability remediation?
Open an interactive chat with Bash
ISC2 CISSP
Security Assessment and Testing
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access