Match closure state to the proof in hand, not to optimism, ticket status, or one stale scan.
Training Drill
Close the work only when the evidence closes it.
Practice choosing the right closure language for patched, mitigated, monitored, not-affected, accepted-risk, and pending-evidence outcomes.
Patched, mitigated, monitored, not affected, and accepted risk are different outcomes with different proof.
Leave enough evidence for another owner to understand why the item was closed or left open.
Closure Cases
Choose the closure state the evidence supports
The safest closure says exactly what was proven and what remains caveated.
Owner shows the fixed version deployed on all in-scope assets.
Supported closure: Patched, if rollout scope and restart or service state are also confirmed.
Still caveat: The closure proves remediation of listed assets, not historical absence of exploitation.
No patch exists, but access is restricted and the risky feature is disabled.
Supported closure: Mitigated or temporarily controlled, with owner, control evidence, and review date.
Still caveat: This is not the same as patched unless vendor guidance says the control fully removes exposure.
Patch is scheduled next week, and SOC has active telemetry coverage until then.
Supported closure: Keep open as monitored or deferred, not remediated.
Still caveat: Monitoring reduces uncertainty but does not remove the vulnerable condition.
Inventory shows the vulnerable component is not installed on matched systems.
Supported closure: Not affected, if inventory, scan scope, and owner evidence are attached.
Still caveat: Reopen if vendor scope changes or new evidence shows the component exists elsewhere.
Business owner accepts delayed patching with documented compensating controls.
Supported closure: Accepted risk or exception, only with approver, expiry, controls, and review cadence.
Still caveat: Acceptance is not remediation; it is a governed decision to carry risk temporarily.
Ticket says complete, but no fixed version, control evidence, or scan refresh is attached.
Supported closure: Pending evidence.
Still caveat: A ticket status alone is not closure proof.
Closure Pattern
Write closure as a claim plus evidence
State
Patched, mitigated, monitored, not affected, accepted risk, or pending evidence.
Proof
Version, control, telemetry, scan, owner attestation, vendor guidance, approval, or expiry evidence.
Caveat
What the closure does not prove, and what would trigger reopen or follow-up.
Next Steps
Use closure language in real workflows
Remediation Evidence
Use the full page for patched, mitigated, monitored, accepted-risk, and not-affected proof patterns.
Exception Register
Use it when closure depends on accepted risk, delayed patching, or temporary controls.
Patch Owner Examples
Copy closure-ready language for patch owners and service teams.