CIS Control 18.3: Remediate Penetration Test Findings
Penetration testing reveals vulnerabilities, but remediation is what actually reduces risk. CIS Control 18.3 requires you to systematically address penetration test findings based on your organization's prioritization and scope policies. Without a structured remediation process, your security posture remains exposed.
What this means
This control mandates that your organization establish and follow a defined policy for remediating penetration test findings. Rather than ad-hoc responses, you need documented criteria for determining which findings to address, in what order, and by when. The policy should account for severity, business impact, remediation cost, and resource availability to create a realistic remediation roadmap that gets executed.
How to comply
- 1.Develop a documented penetration test remediation policy that defines scope, prioritization criteria, and timelines
- 2.Establish severity ratings and map them to remediation deadlines (e.g., critical findings within 30 days)
- 3.Conduct regular penetration tests and document all findings with supporting evidence
- 4.Assign ownership for each finding and track remediation status in a centralized system
- 5.Implement compensating controls for findings that cannot be immediately remediated
- 6.Validate that remediation efforts actually eliminated the vulnerability through re-testing
- 7.Report on remediation metrics to leadership and audit teams quarterly
Evidence auditors look for
- Penetration test policy document with defined remediation scope and prioritization framework
- Penetration test reports with findings categorized by severity level
- Remediation tracking spreadsheet or system showing status, owner, and due dates
- Evidence of re-testing to confirm vulnerabilities were eliminated
- Documented exceptions or compensating controls for unresolved findings
- Executive remediation status reports showing trend analysis over time
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates penetration test finding tracking with severity-based workflows, remediation status dashboards, and built-in re-test validation—eliminating spreadsheets and ensuring findings don't slip through the cracks.
See how GRCWatch handles this control automatically
Start free trial