This article provides additional information on how you can meet the requirement for the ISO 27001: 2022 control A.8.8 Management of technical vulnerabilities.
ISO 27001: 2022 Control Description
Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
Purpose
To prevent the exploitation of technical vulnerabilities in information systems.
Guidance on implementation
Effective management of technical vulnerabilities is crucial to protecting information systems. Here’s a step-by-step guide to help your organisation handle technical vulnerabilities:
Identifying Technical Vulnerabilities
- Maintain an Accurate Asset Inventory:
- Keep a detailed inventory of all assets, including software vendor details, software names, version numbers, deployment status (e.g., what software is installed on which systems), and responsible personnel.
- Assign Roles and Responsibilities:
- Clearly define roles and responsibilities related to technical vulnerability management, including monitoring vulnerabilities, assessing risks, updating software, tracking assets, and coordinating responses.
- Monitor Vulnerability Sources:
- Identify and regularly update information sources for tracking relevant technical vulnerabilities. Adjust these sources as your inventory changes or as new, useful resources become available.
- Ensure Supplier Accountability:
- Require suppliers to include vulnerability reporting, handling, and disclosure in their contracts.
- Use Vulnerability Scanning Tools:
- Deploy tools that are appropriate for the technologies you use to identify vulnerabilities and verify successful patching.
- Conduct Penetration Tests:
- Perform planned, documented, and repeatable penetration tests or vulnerability assessments by authorised personnel to identify vulnerabilities. Be cautious, as these tests can compromise system security.
- Track Third-Party Libraries:
- Monitor third-party libraries and source code for vulnerabilities, including this in your secure coding practices.
Develop Procedures for Vulnerability Management
- Detect Vulnerabilities:
- Establish procedures to detect vulnerabilities in your products and services, including external components.
- Receive Vulnerability Reports:
- Set up a public point of contact for vulnerability reporting, so that researchers and others can report issues.
- Implement Reporting Procedures:
- Create online reporting forms and participate in relevant threat intelligence or information-sharing forums. Consider offering bug bounty programs to encourage vulnerability reporting.
- Share Information:
- Share vulnerability information with relevant industry bodies and interested parties.
Evaluating Technical Vulnerabilities
- Analyse Reports:
- Thoroughly analyse and verify vulnerability reports to determine the necessary response and remediation actions.
- Assess Risks:
- Once a vulnerability is identified, assess the associated risks and decide on the appropriate actions, such as system updates or additional controls.
Addressing Technical Vulnerabilities
- Implement a Software Update Process:
- Ensure all authorised software is up-to-date with the latest approved patches. Retain the original software version and test any changes on a copy before applying them. Document all changes thoroughly.
- Respond Quickly:
- Act promptly when a potential vulnerability is identified, setting a clear timeline for addressing it.
- Use Legitimate Sources:
- Only use updates from verified, legitimate sources.
- Test Updates:
- Test updates before installation to ensure they are effective and do not introduce unacceptable side effects.
- Prioritise High-Risk Systems:
- Focus on addressing vulnerabilities in high-risk systems first.
- Develop Remediation:
- Create and test remediation measures, such as software updates or patches, to confirm their effectiveness.
- Verify Authenticity:
- Implement mechanisms to verify the authenticity of remediation actions.
- Consider Alternative Controls:
- If updates are unavailable or cannot be installed, consider other controls, such as:
- Applying vendor-recommended workarounds.
- Disabling vulnerable services.
- Adding access controls (e.g., firewalls) at network borders.
- Using traffic filters to protect vulnerable systems.
- Increasing monitoring to detect potential attacks.
- Raising awareness of the vulnerability.
- Automatic Updates:
- Decide whether to use automatic updates for acquired software, particularly if the vendor provides this option. Consider allowing users to control the timing of updates to avoid disruption during critical operations.
Other Considerations
- Maintain an Audit Log:
- Keep detailed logs of all steps taken in managing technical vulnerabilities.
- Regular Monitoring:
- Continuously monitor and evaluate the vulnerability management process to ensure it remains effective and efficient.
- Align with Incident Management:
- Coordinate vulnerability management with incident management activities, sharing relevant data and procedures.
- Cloud Service Providers:
- Ensure your cloud service providers manage technical vulnerabilities as part of the service agreement, with clear processes for reporting their actions.
- Consider Defence in Depth:
- Be aware that vulnerability scanners might not fully account for defence-in-depth strategies. Carefully review vulnerability reports before taking action.
- User Communication:
- If your organisation supplies software or services externally, consider releasing public advisories about vulnerabilities and providing information to software vulnerability databases.
This guide should help you manage technical vulnerabilities effectively, reducing the risk of exploitation and maintaining the security of your organisation’s information systems.