PCI DSS 11.1.3: Managing Non-Critical Vulnerabilities
Non-critical vulnerabilities can accumulate into significant security risks if left unmanaged. PCI DSS 11.1.3 requires organizations to establish a systematic approach to identifying, tracking, and remediating all vulnerabilities below the critical and high-risk threshold. This control ensures your vulnerability management program covers the full spectrum of security issues.
What this means
This control requires you to manage all vulnerabilities that don't meet critical or high-risk criteria using a documented vulnerability management policy. While critical and high-risk vulnerabilities demand immediate attention, non-critical vulnerabilities still pose security risks and must be tracked, prioritized, and remediated according to your organization's defined timelines and processes. This prevents vulnerability accumulation and ensures comprehensive coverage of your security posture.
How to comply
- 1.Document your vulnerability management policy with clear definitions of vulnerability severity levels and remediation timelines for each category
- 2.Establish vulnerability scanning procedures that identify and classify all vulnerabilities, including non-critical ones
- 3.Create a tracking system or inventory that logs all non-critical vulnerabilities with discovery dates, affected systems, and remediation status
- 4.Define remediation timelines for non-critical vulnerabilities based on risk factors and business impact
- 5.Assign ownership and accountability for remediation of non-critical vulnerabilities to system owners or security teams
- 6.Conduct regular reviews of non-critical vulnerabilities to ensure timely remediation and prevent status drift
- 7.Maintain audit trails documenting when vulnerabilities were identified, remediated, and verified as resolved
Evidence auditors look for
- Vulnerability management policy document defining severity classifications and remediation timelines
- Vulnerability scanner reports showing identified non-critical vulnerabilities with timestamps
- Vulnerability tracking spreadsheet or system with status updates and remediation dates
- Patch management records proving non-critical vulnerability remediation
- System access logs showing vulnerability scanning activities across the network
- Management review meeting minutes discussing vulnerability remediation progress
- Email communications or tickets documenting vulnerability assignments and resolution
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates vulnerability categorization and tracks non-critical remediation timelines in a single dashboard, eliminating manual spreadsheet management and providing auditors with instant evidence of your vulnerability management policy in action.
See how GRCWatch handles this control automatically
Start free trial