Navigating Vulnerability Standards: CVE, CVSS, NVD, and ISO Security Frameworks Explained

Written By Ben Skinner
 

November 5th, 2025

Cybersecurity Architects use many different industry standards, vulnerability frameworks, and databases to effectively identify, quantify, and remediate vulnerabilities.

The International Organization for Standardization (ISO) is an independent international organization that creates globally recognized standards. ISO has published numerous security standards like ISO 27034, 31000, 30111, 29147, and 27001. Lets go over what they cover:

  • ISO 27034- A formalized standard for software security and how to build, manage, and maintain it during the software development lifecycle.

  • ISO 31000- Serves as a generic standard for enterprise risk management.

  • ISO 30111- Is a guide to handling vulnerability reports and how to process and remediate the vulnerabilities that were discovered.

  • ISO 29147- A guideline for disclosing vulnerabilities and security information to internal parties, stakeholders, customers, etc.

  • ISO 27001- A broad standard for implementing information security processes within an organization (policy, talent, and security controls).

Following ISO standards helps organizations proactively manage risk and enables the organization to sustain high levels of security.

The National Vulnerability Database (NVD) is a database of vulnerabilities with corresponding descriptions, severity scores, and impact ratings. The NVD is fed by the Common Computer Vulnerabilities and Exposures (CVE) which is a list of publicly known security vulnerabilities that exists to act as a standard reference for security professionals to track, manage, and discuss security flaws across different tools and platforms. The Common Vulnerability Scoring System (CVSS) also feeds the NVD and it provides overall composite scores representing the severity and risks of a vulnerability. There are three types of CVSS scores: Base scores, Temporal scores, and Environment scores. Base scores are the general, and broad, score assigned to vulnerabilities, temporal scores are scores that you can reevaluate at different intervals based on implemented security mitigations strategies, and environment scores are optional scores that account for the specific environment being evaluated. Together, the NVD, CVE, and CVSS frameworks provide security professionals with a comprehensive, standardized approach for identifying, tracking, and evaluating software vulnerabilities, empowering informed risk management and security decisions across their organization.

By leveraging globally recognized ISO standards alongside comprehensive vulnerability databases and scoring frameworks like NVD, CVE, and CVSS, cybersecurity architects can proactively identify and manage risks, ensuring their organization maintains a resilient and robust security posture for protecting their clients and sensitive information.

— Ben Skinner

 
Ben Skinner
Previous

Don’t Just Ship It — Secure It: a Guide to Code Reviews and Security Testing
Next

PASTA, STRIDE, DREAD, Oh My! An introduction to Threat modeling frameworks