GRCWatch
Sign inStart free trial

CIS Controls 7.2: Establish and Maintain a Remediation Process

A documented remediation process is essential for converting security findings into action. CIS Controls 7.2 requires you to establish a risk-based strategy with regular reviews—typically monthly or more frequently—to ensure vulnerabilities don't slip through the cracks.

What this means

This control mandates creating a formal process that prioritizes security issues by risk level and tracks them to resolution. Your remediation strategy must be documented, reviewed at least monthly, and adapted based on emerging threats and remediation velocity. The goal is preventing security gaps from becoming compliance failures.

How to comply

  1. 1.Document your remediation process, including risk classification criteria (critical, high, medium, low) and response timeframes for each severity level
  2. 2.Define ownership and accountability—assign teams or individuals responsible for remediation of different asset types or vulnerability categories
  3. 3.Establish SLAs for remediation based on risk level (e.g., critical issues within 24-48 hours, high within 7 days)
  4. 4.Create a centralized tracking system to log all identified vulnerabilities, their status, and remediation progress
  5. 5.Conduct monthly reviews of open remediation items, closure rates, and trends to identify systemic issues
  6. 6.Adjust priorities and timelines based on business impact, threat intelligence, and resource availability
  7. 7.Communicate remediation status to stakeholders and document approvals for any items that cannot be immediately remediated

Evidence auditors look for

  • Documented remediation policy and procedures covering severity levels, SLAs, and escalation paths
  • Risk scoring matrix or framework used to prioritize vulnerabilities
  • Remediation tracking log with vulnerability ID, discovery date, severity, assigned owner, target remediation date, and actual closure date
  • Monthly remediation review meeting notes with attendance, metrics (e.g., closure rate, average time-to-remediate), and decisions
  • Signed-off risk acceptance forms for vulnerabilities that cannot be remediated within SLA
  • Trend reports showing remediation velocity and systemic patterns over time
  • Evidence of communication to management and audit trails of remediation actions taken

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates vulnerability tracking, severity scoring, and SLA monitoring so your team stays on top of remediation without manual spreadsheet management—and generates monthly review reports automatically.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 6.1 — Establish and Maintain an Inventory of DevicesCIS Controls 7.1 — Establish and Maintain a Vulnerability Management ProcessCIS Controls 2.1 — Establish and Maintain Software Asset Management