# SMB Vulnerability Program Checklist (Download)

A minimum viable program you can run without building a compliance department.

## Scope and ownership
- [ ] Asset inventory exists (servers, endpoints, cloud, SaaS)
- [ ] Each asset group has an owner
- [ ] You know what is in-scope for customer data

## Scanning
- [ ] Authenticated internal scans weekly
- [ ] External perimeter scans weekly
- [ ] Web app / API scans monthly (or after major releases)

## Triage + prioritization
- [ ] Severity + exploitability are considered
- [ ] “Top 10” remediation list is produced weekly
- [ ] You track repeat offenders (same root cause)

## Remediation workflow
- [ ] Tickets created with due dates
- [ ] SLAs defined (Critical 7d, High 30d, Medium 90d)
- [ ] Exceptions require explicit approval

## Verification
- [ ] Tickets require verification before closure
- [ ] Rescan evidence is stored in one place

## Reporting cadence
- [ ] Weekly: top risks + what changed
- [ ] Monthly: trends + SLA performance
- [ ] Quarterly: program review + tooling gaps

## When you’re ready to graduate to compliance
- You can consistently meet SLAs
- Evidence is easy to retrieve (not in emails)
- Leadership reviews risk monthly