The organization has defined a process for addressing identified technical vulnerabilities.
Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:
The organization monitors information about technical vulnerabilities of the information systems in use. When relevant technical vulnerabilities are detected, the organization takes action according to the planned operating model.