Annex A.12.6.1 Management of Technical Vulnerabilities, this annex is about technical vulnerability management. The objective here is to prevent the exploitation of technical vulnerabilities.
Concentrating efforts on three key areas:
- Timely identification of security vulnerabilities;
The sooner you discover a vulnerability, the more time you will have to correct it, or at least to warn the manufacturer about the situation, decreasing the opportunity window a potential attacker may have.
Assessment of organization's exposure to a vulnerability.
Not all organizations are affected the same way by a certain vulnerability, or set of vulnerabilities. You have to do a risk assessment to identify and prioritize those vulnerabilities that are more critical to your assets and business.
Proper measures considering the associated risks.
Once you have identified the most critical vulnerabilities, you need to think about the actions and allocation of the resources you have to deal with them - that's your risk treatment plan. The most prudent form is by considering the risk level associated with them.