cism-d2-risk-management-vulnerability-and-control-deficiency-analysis

Vulnerability and Control Deficiency Analysis

isaca-cism · framework · Gold standard

Drawn fromCISM Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Vulnerability and Control Deficiency Analysis

Vulnerability and Control Deficiency Analysis (VCDA) is the systematic process of identifying, characterizing, and prioritizing security gaps in an organization's systems, processes, and controls — and diagnosing why those gaps exist. A vulnerability is a weakness in a system, application, or process that a threat actor could exploit. A control deficiency is a gap in the design or operation of a security control that prevents it from effectively mitigating risk. VCDA goes beyond cataloguing weaknesses: it traces each gap to its root cause, classifies it by deficiency type (missing, design, or operational), maps it to a control framework, and translates findings into business risk language for prioritized remediation. This is a core CISM competency within Domain 2: Information Security Risk Management.

Where it stops · what it isn't

—IS: Identifying and characterizing vulnerabilities in systems, applications, and processes using structured methodologies — vulnerability scanning, penetration test result analysis, CVSS scoring, and control effectiveness testing
—IS: Classifying control deficiencies by root cause — design deficiency (control was never properly designed to address the risk), operational deficiency (control exists but is not executed as intended), or missing control (no control exists for the identified risk)
—IS: Mapping vulnerabilities and control deficiencies to control frameworks (COSO, COBIT, ISO 27001, PCI-DSS, NIST CSF) to identify coverage gaps
—IS: Evaluating compensating controls when primary controls are deficient, and quantifying residual risk
—IS NOT: Threat modeling or threat landscape analysis — that is a sibling competency ('Risk and Threat Landscape')
—IS NOT: Risk response planning or remediation execution — those belong to 'Information Risk Response'
—IS NOT: Risk monitoring dashboards or reporting cadence — those belong to 'Risk Monitoring, Reporting, and Communication'
—IS NOT: Penetration testing or red team operations — VCDA consumes pen test findings as inputs; it does not conduct the tests
—IS NOT: Patch management execution — VCDA informs patch prioritization decisions but does not manage the patching workflow

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Security Risk Management (CISM Domain 2)

REQUIRES

Risk Assessment Evaluation and AnalysisRisk and Threat Landscape

ENABLES

Information Risk ResponseRisk Monitoring, Reporting, and Communication

RELATED TO

Risk and Threat LandscapeInformation Risk Response

CONSTRAINS

Residual Risk Acceptance

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.