CVSS (Common Vulnerability Scoring System) is an open standard for rating the severity of vulnerabilities on a scale from 0.0 to 10.0. The current version is CVSS v4.0. The rating considers attack vector, complexity, required privileges, and impact on confidentiality, integrity, and availability.
In an ISMS, CVSS supports prioritization in vulnerability management under ISO 27001 Annex A control A.8.8. Typical thresholds: Critical (9.0-10.0) requires immediate response, High (7.0-8.9) within defined timeframes, Medium and Low based on risk assessment. The CVSS score alone is insufficient — the context of your environment (reachability, criticality of the affected system, existing compensating controls) determines the actual risk. CVSS provides the starting point; final prioritization remains an organization-specific decision.