Perform Root Cause Analysis for Vulnerabilities
Analyse the cause of issues and fix related vulnerabilities completely.
Plain language
When you find a security problem, it's important to dig deep to understand the root cause and not just patch it up. If you only fix part of the issue, there's a risk similar problems will keep happening, potentially compromising sensitive information or your systems' functionality.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
In resolving vulnerabilities, root cause analysis is performed and, to the greatest extent possible, entire vulnerability classes are remediated.
Why it matters
Without root cause analysis, fixes are patchy and the same vulnerability class reappears across systems, enabling repeat exploitation and possible breaches.
Operational notes
For each vulnerability, document the underlying cause (e.g. coding pattern, misconfiguration) and remediate the whole class via standards, templates and regression tests.
Implementation tips
- IT managers should lead a thorough analysis whenever a security vulnerability is identified. They can do this by gathering a team that includes the IT staff, system users, and any relevant vendors to discuss what specific sequence of events led to the vulnerability.
- System owners should document each identified vulnerability and what caused it. They should present this in a clear report that describes the issue, how it was discovered, the root cause, and potential solutions.
- The IT team should develop and implement a plan to address the root cause of vulnerabilities. This involves creating a timeline for implementing solutions and monitoring the changes over time to ensure they are effective.
- Managers should ensure regular training and awareness programs for their teams, focused on specific vulnerabilities that could affect their systems. This can involve inviting cyber security experts to provide workshops or webinars.
- HR and IT departments should collaborate to ensure that new policies or changes resulting from root cause analyses are communicated effectively across the organisation. Use internal newsletters or meetings to explain these updates and their importance.
Audit / evidence tips
- AskThe root cause analysis report: Request reports of recent security vulnerabilities and their analyses GoodReport includes details like timelines, responsible parties, and follow-up steps
- AskMeeting notes or records: Request records from vulnerability response meetings GoodMeeting note highlights concrete actions and deadlines
- AskUpdated policy documents: Request to see revised policies or procedures that were changed following a root cause analysis
- AskTraining records: Request proof of staff training sessions that directly address vulnerability management
- AskSystem monitoring logs: Request logs that show system behaviour before and after vulnerability fixes
Cross-framework mappings
How ISM-1909 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.23 | ISM-1909 requires root cause analysis (RCA) when resolving vulnerabilities so underlying causes are identified and whole vulnerability cl... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.