A preparatory phase that defines policies and standards, clarifies the scope, and prioritizes critical assets to create a baseline for vulnerability management is known as what?

Starting vulnerability management with a preparatory phase is all about establishing governance and scope for how vulnerabilities will be handled. This phase defines the policies and standards that guide the program, clarifies what assets and boundaries are in scope, and identifies and prioritizes the most critical assets to create a baseline for ongoing vulnerability work. With this foundation, later steps like discovery, assessment, and remediation can be carried out consistently and in alignment with risk priorities. This isn't about the technical flaws themselves, which would come up during assessments or remediation, nor about how to rate severity (that would be CVSS). It also isn’t about a specific vulnerability type like buffer overflows.