ISO/IEC 30111
vulnerability handling standard for PSIRT and product security teams

ISO/IEC 30111 explained for product security and PSIRT teams

ISO/IEC 30111:2019 (Information technology, Security techniques, Vulnerability handling processes) is the international standard for the internal-handling half of vulnerability disclosure. It describes how an organisation that produces software, hardware, or services operates the internal triage, the root-cause analysis, the fix development, the regression testing, and the release-readiness sign-off that produce the remediation the disclosure side commits to. The standard names the policy, the case register, the verification clocks, the remediation discipline, the regression evidence, and the post-release tracking, and it pairs explicitly with ISO/IEC 29147 (Vulnerability disclosure) which covers the external-facing counterpart.

For PSIRT teams, product security teams at vendors, AppSec teams accountable for fixing externally reported and internally discovered issues, GRC owners producing the audit pack, and CISOs at organisations that ship products read against by federal, EU, financial, or critical-infrastructure regulators, ISO/IEC 30111 is the operating reference the engineering-side discipline reads against. The standard is the international anchor that the EU Cyber Resilience Act, the CISA Coordinated Vulnerability Disclosure model, the FIRST PSIRT Services Framework, and the ISO/IEC 27001 Annex A 8.8 control on management of technical vulnerabilities all inherit from on the handling side.

This page walks through the scope of the standard, the four phases of the handling cycle, the operating-record artefacts the standard expects, the failure modes the standard was published to surface, the relationship with adjacent regimes, the audit-grade evidence pack the programme produces, and where ISO/IEC 30111 sits alongside the PSIRT operating workflow, the vulnerability disclosure programme management workflow, and the vulnerability disclosure programme setup guide. Programmes that adopt ISO/IEC 30111 as the internal-handling reference and ISO/IEC 29147 as the disclosure-side counterpart produce a coherent vulnerability operating posture that holds up under EU CRA, CISA CVD, FIRST PSIRT, federal mandate, ISO/IEC 27001, SOC 2, and audit-committee scrutiny on one record.

What ISO/IEC 30111 covers

The standard is narrower than the full vulnerability lifecycle and broader than a single process template. It covers the internally facing half of vulnerability disclosure; ISO/IEC 29147 covers the external-facing half. The two read together as a pair, with the same case identifier walking across both records.

The four phases of the handling cycle

ISO/IEC 30111 describes the handling cycle in four phases. The phases are not separate processes; they are stages on the same case record, each with named outputs the next phase reads against. Read sequentially: receipt produces the intake record, verification produces the calibrated finding, remediation produces the fix and the affected-version matrix, and release readiness plus post-release tracking produce the deployment evidence, the post-release advisory updates, and the lessons-learned record.

1. 1

   Phase 1: Receipt and intake handling

   The internal record opens the case, captures the source (external finder via the ISO/IEC 29147 intake channel, coordinator referral, internal discovery from red team or pentest, code scanning, dependency analysis, fuzzing, telemetry, or customer support escalation, or a supplier advisory), assigns the named handling owner, references the ISO/IEC 29147 disclosure record where applicable, and starts the documented internal handling clock. The intake record is the canonical artefact every later phase reads against rather than a forwarded email or a chat thread.

2. 2

   Phase 2: Verification and assessment

   The handler verifies the report. Verification confirms the affected product and version, reproduces the issue in a controlled environment, captures the technical evidence, calibrates a working severity (typically CVSS 3.1 or 4.0 with environmental modifiers and an internal exploitability rating where appropriate), maps to the affected components and shipping branches, and records the verification status against the documented clock. Verification is the gate that turns an inbound report into a tracked finding the engineering organisation reads against.

3. 3

   Phase 3: Remediation development

   The handler coordinates the technical fix. The remediation may be a code patch, a configuration change, a cryptographic rotation, an ecosystem-coordinated dependency update, a workaround for unsupported branches, an upstream-supplier fix, or, where the issue is not exploitable in shipped products, a documented advisory with no code change. The phase carries the regression evidence, the affected-version matrix, the backport decisions, the customer-facing impact assessment, and the release-readiness sign-off the disclosure side will publish against.

4. 4

   Phase 4: Release readiness and post-release tracking

   The handler delivers the remediation to the disclosure side for advisory publication and customer notification, records the release timestamp against the agreed embargo, and keeps the case open for the post-release window. Post-release tracking captures the deployment evidence, the regression observation, the exploit-in-the-wild observation where applicable, the advisory updates, and the lessons-learned summary that feeds the quarterly programme review.

The operating-record artefact set

The standard expects a defined artefact set rather than a single document. The pack below is the minimum durable set most programmes maintain when they adopt ISO/IEC 30111 as the operating baseline. Each artefact has a named owner, a refresh cadence, and a version history so reconstruction at audit time is replaced with a continuous operating trail.

Failure modes the standard is designed to surface

The standard is forgiving on the choice of tooling, the wording of the policy, and the prioritisation order within the case register. It is unforgiving about a small number of patterns that turn the handling programme cosmetic rather than operational. The patterns below recur across vulnerability handling adoptions and are the ones that erode engineering confidence and audit defensibility most reliably.

How ISO/IEC 30111 relates to adjacent regimes

ISO/IEC 30111 sits in a busy disclosure neighbourhood. The relationships below are the ones programmes encounter most often when they read 30111 against the rest of the operating regime. Programmes operating across regions and sectors use 30111 as the internal-handling spine and read ISO/IEC 29147, the FIRST PSIRT Services Framework, the EU CRA, CISA CVD, and ISO/IEC 27001 Annex A 8.8 as the contextual layers around it.

The audit-grade evidence pack

Internal auditors, ISO/IEC 27001 certification bodies reading Annex A controls A.5.7 (threat intelligence), A.5.27 (learning from information security incidents), A.5.28 (collection of evidence), A.5.36 (compliance with policies, rules, and standards), and A.8.8 (management of technical vulnerabilities), federal customers under FedRAMP and NIST SP 800-171, financial regulators under DORA Article 28, EU market surveillance under CRA, and PSIRT programmes operating to FIRST guidance all read handling evidence in similar shapes. The minimum durable pack below is the residue of the operating work rather than a separate compilation produced at reading time.

Where SecPortal fits in an ISO/IEC 30111 programme

SecPortal is the operating layer for the vulnerability handling case lifecycle, not a replacement for the policy hierarchy, the engineering ownership model, or the release engineering discipline that the standard expects. The platform handles the case-side workstreams (intake, verification, triage, remediation, regression evidence, release readiness, post-release tracking) so the artefacts the policy commits to are produced as structured records rather than reconstructed across email threads, ticketing systems, and document drives at audit time. The same workspace that hosts the handling case hosts the SAST, dependency analysis, authenticated DAST, external scanning, and continuous monitoring evidence the verification and regression phases depend on.

The handling-side evidence (intake, verification, remediation, release readiness, post-release tracking) reads against operational workflows that already exist as named use cases. The PSIRT operating workflow carries the case-management discipline the handling record reads against. The vulnerability disclosure programme management workflow carries the published policy, the intake channel, and the finder-relationship operating trail that pairs with the handling side. The zero-day and emergency vulnerability response workflow carries the accelerated handling path for cases where the standard handling clock has to be compressed and an emergency release is required.

For internal security teams operating ISO/IEC 30111 as part of the wider product security baseline, the product security teams workspace bundles the platform with the engagement structure the handling cadence reads against. For GRC and compliance teams reading the handling evidence against ISO/IEC 27001, SOC 2, EU CRA, and the federal mandates, the GRC and compliance teams workspace covers the policy hierarchy, the evidence pack, and the audit cadence the standard expects. For CISOs and security leaders carrying the programme-level reporting on the handling posture, the CISOs and security leaders workspace covers the executive-layer reporting model that sits on top of the handling operating record.

For deeper reading on the disciplines this standard reads against, the ISO/IEC 29147 framework page covers the disclosure-side counterpart that 30111 pairs with. The EU Cyber Resilience Act framework page covers the regulation that operationalises the ISO/IEC 30111 expectations for manufacturers placing products with digital elements on the EU market. The EU Cyber Resilience Act vulnerability handling guide covers the practical handling-side walkthrough the regulation expects. The CVE Numbering Authority guide covers the CVE issuance discipline that pairs with the handling and disclosure cycles. The VEX guide covers the exploitability-statement artefact paired with SBOM that downstream consumers read alongside the advisory. The ISO 27001 framework page covers the wider ISMS context the handling programme sits inside, with Annex A 8.8 as the direct control read. The ISO/IEC 27035 framework page covers the information security incident management counterpart that completes the ISO incident-and-disclosure trio for vendors that both ship products and operate ISMS-grade incident response.