In some of our predefined standards like for example "CIS Security Benchmark for HP-UX v1.3.1" and "CIS SUSE Linux Enterprise Server 10 Benchmark v2.0.0". In the standards, you can see in section 1.x.x of the standard. All the checks don't have anything set, for the CIA or CVSS rating. They are marked as 'no impact' or 'not defined'.
Purposely these checks were not assigned a CIA rating as CIS has only one check for ‘Apply Latest OS Patches’, whereas we implemented multiple checks around all the packages available in that particular OS. Having these many checks will help to exactly identify the package/s that need to be updated.
As per CIS, only one check needs to be failed if all packages are not updated to the latest available patch, whereas in our assessment we may need to fail multiple checks. Assigning CIA ratings for these individual checks (more than 300+ checks in an individual standard) will drastically impact the final scoring of the benchmark assessment.