Cybersecurity vulnerability assessments are performed periodically and according to defined triggers, such as system changes and external events
Context and Guidance: The organisation uses established, documented, and structured vulnerability assessment methods to identify known vulnerabilities (that is, vulnerabilities that have been identified by external entities and published in information sources) as well as other potential weaknesses that may be exploited by an adversary. These assessments can be conducted by internal staff or by a third-party entity. Consideration should be given to the perspective of a potential internal or external threat actor. This may aid in identifying potential threat vectors that would otherwise go unnoticed. The organisation must decide the appropriate time intervals that it will use to repeat assessments to ensure that it has the most current and accurate vulnerability information.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THREAT-1c, THREAT-1f, THREAT-1k.