diff --git a/docs/policies/threat_modelling_policy.md b/docs/policies/threat_modelling_policy.md
index fead1f0..4b066e8 100644
--- a/docs/policies/threat_modelling_policy.md
+++ b/docs/policies/threat_modelling_policy.md
@@ -111,20 +111,21 @@ The following must be considered when using collecting, analysing and sharing th
## Related policies
The following polices are associated with this policy and should also be read as they directly interact or support the policy:
-- [Vulnerability Management Policy](vulnerability_management_policy.md)
-- Incident Management Policy
-- Security Monitoring Policy
-- Asset Management Policy (TBC)
-- Risk Management Policy (TBC)
-- Supplier Management Policy (TBC)
+- [Vulnerability management policy](vulnerability_management_policy.md)
+- [Threat intelligence policy](threat_intelligence_policy.md)
+- Incident management policy
+- Security monitoring policy
+- Asset management policy (TBC)
+- Risk management policy (TBC)
+- Supplier management policy (TBC)
## Revision history
### Revision table
-| Date of change | Author | Review Date | Version |
-| -------------- | ------------------ | -------------------- | ------- |
-| YYYY-MM-DD | FULL_NAME | YYYY-MM-DD (+1 year) | v0.1 |
+| Date of change | Author | Review Date | Version |
+| -------------- | ------------------ | ----------- | ------- |
+| 2024-12-20 | Simon Bishop | 2025-12-20 | v0.1 |
### Approved by
diff --git a/docs/policies/vulnerability_management_policy.md b/docs/policies/vulnerability_management_policy.md
index 88a857b..2f58856 100644
--- a/docs/policies/vulnerability_management_policy.md
+++ b/docs/policies/vulnerability_management_policy.md
@@ -36,16 +36,20 @@ This policy is applicable to all DfE employees that produce, maintain or are res
## Responsibility
The digital service teams and portfolios are responsible for ensuring they mitigate vulnerabilities within their software and infrastructure.
-### Responsibile Accountable Consulted Informed (RACI) matrix
-
-| Tasks | Developers/DevOps | Service Owners | Vulnerability Management team |
-| ----------------------------------- | ----------------- | -------------- | ------- |
-| Patching Azure servers | R | A | C |
-| Patching software dependencies | R | A | C |
-| Patching container images | R | A | C |
-| Fixing SAST vulnerabilities | R | A | C |
-| Fixing DAST vulnerabilities | R | A | C |
-| Fixing VDP reported vulnerabilities | R | A | I |
+### Responsible Accountable Consulted Informed (RACI) matrix
+
+| Role
Activity | CISO | SROs | Developers/DevOps | Vulnerability management team | Delivery managers (portfolio) | Architects |
+| ----------------------------------- | ----- | ----- | ----------------- | ----------------------------- | ----------------------------- | ---------- |
+| Patching Azure servers | A | A | R | C | I | C |
+| Patching software dependencies | A | A | R | C | I | C |
+| Patching container images | A | A | R | C | I | C |
+| Fixing SAST vulnerabilities | A | A | R | C | I | C |
+| Fixing DAST vulnerabilities | A | A | R | C | I | C |
+| Fixing VDP reported vulnerabilities | A | A | R | I | I | C |
+| Risk management and appetite | A | R | C | C | I | C |
+| Prioritisation of remediation | A | R | C | C | I | C |
+| Monitoring for vulnerabilities | A | A | R | R | I | C |
+| Organisation penetration tests | A | A | C | I | I | C |
## Other responsible owners
@@ -231,13 +235,13 @@ The vulnerability management team:
* must triage vulnerabilities from the vulnerability disclosure programme to development teams that ensures the teams can fix vulnerabilities within SLAs
-## Revision history
+## Revision history and decision records
### Revision table
-| Date of change | Author | Review Date | Version |
-| -------------- | ------------------ | -------------------- | ------- |
-| YYYY-MM-DD | FULL_NAME | YYYY-MM-DD (+1 year) | v0.1 |
+| Date of change | Author | Review Date | Version |
+| -------------- | ----------------- | ----------- | ------- |
+| 2024-12-19 | Samuel Pritchard | 2025-12-19 | v0.1 |
### Approved by
@@ -246,6 +250,7 @@ The vulnerability management team:
| --------------- | --------- | ---------- | ------- |
| FULL_NAME | TITLE | YYYY-MM-DD | v0.1 |
+
### Policy updates and decision record
| Decision | Reason for decision | Author (Job title) | Date |
| -------- | ------------------- | ------ | ---- |
@@ -259,7 +264,6 @@ The vulnerability management team:
| Mitigation | A fix that can be put in place (often quickly) to prevent a vulnerable component from being compromised. To make less severe and reduce the risk to DfE. |
| Remediation | The complete fix that will ensure an issue has been completely resolved. Provide a remedy for the vulnerability. |
-# Appendix B: Centre for Internet Security (CIS) safeguards mapping