The vulnerability management register is retained as a standalone Module 9 artefact. It provides the complete history of every vulnerability discovered across all scanning layers and testing activities, together with the remediation status, SLA compliance, and exception records.
The register enables three compliance functions. Current posture assessment shows the number of open vulnerabilities by severity and the remediation timeline for each. Trend analysis shows whether the vulnerability discovery rate, remediation speed, and SLA compliance are improving or degrading over time. Exception audit shows every vulnerability that was accepted through the exception process, with the justification, compensating controls, and expiry date.
The register is the primary input for the Module 9 compliance metrics reported to the governance team. The register is retained for the ten-year period.
Key outputs
- Complete vulnerability history with remediation tracking
- Current posture, trend analysis, and exception audit capability
- Module 9 compliance metrics input
- Module 9 AISDP evidence