What is Vulnerability Management under ISO 27001?

Vulnerability management is the practice of identifying and addressing the weaknesses in an organisation’s systems.

The process is an essential part of information security and is discussed in ISO 27001, the international standard that describes best practice for implementing an ISMS (information security management system).

In this blog, we explain what vulnerability management is, how it fits into ISO 27001 and the steps you can take to address organisational weaknesses.

5 steps to effective vulnerability management

Vulnerability management consists of five key stages:

1. Identify assets where vulnerabilities may be present.

An asset is any data, device or other component of an organisation’s systems that has value. This is typically because it contains sensitive information or it is used to conduct essential business operations.

2. Risk assessment

This is the process of identifying vulnerabilities in those assets. You will typically begin with a vulnerability scan, although you might also require a more in-depth assessment via a penetration test.

3. Document your findings

Your report should prioritise the most significant risks and recommend remediation strategies.

Examples of those strategies include software updates, reconfiguring devices or implementing new policies to reduce risks.

You should be as comprehensive as possible when describing remediation strategies. Ideally, you will provide step-by-step instructions.

4. Implement remediation strategies

With the document complete, you can move implement the remediation strategies that you identified in the previous section.

5. Verify the success of your strategies

Doing so enables you to confirm whether vulnerabilities have been addressed adequately. It also ensures transparency and accountability across the organisation.

It’s worth adding that the vulnerability management process is cyclical; new vulnerabilities are always emerging, so you will need to continually monitor risks and repeat the five steps outlined above.

ISO 27001’s approach to vulnerability management

The vulnerability management approach listed above has much in common with ISO 27001’s overall risk management framework.

Anyone familiar with the Standard will know that it is centred around a risk assessment designed to protect the confidentiality, integrity and availability of sensitive information.

Vulnerabilities are one of the components of risk, so it’s natural that vulnerability management sits within the Standard’s overall approach to risk management.

Indeed, ISO 27001 describes ‘risk’ as the combination of an asset, threat and vulnerability. Specifically, an information security risk exists when you have something that’s in jeopardy (an asset), an actor that can exploit it (a threat) and a way that can happen (a vulnerability).

The Standard’s risk assessment process overlaps with vulnerability management in security control A.12.6.1 within Annex A.

The section describes the management of technical vulnerabilities, and requires organisations to promptly identify relevant information.

A crucial part of this process is to balance resilient security practices without disrupting business operations.

Any patch that’s applied can potentially cause operational problems, so it must be tested to ensure that it works effectively. Likewise, you must check that technical changes do not compromise the confidentiality, integrity and availability of sensitive information.

ISO 27002 contains the practical guidelines for implementing ISO 27001’s requirements, and includes the following best practices for security control A.12.6.1:

  • Develop an asset inventory

An asset inventory is a list of information assets that an organisation owns. Creating such a list is essential for managing assets and, by extension, mitigating information security risks.

Assets are typically defined as anything valuable to an organisation, including storage devices and sensitive information, as well as property and equipment. For the purposes of vulnerability management, you only need a list of assets that can be affected by technical flaws.

  • Define roles and responsibilities

Vulnerability management is a complex process, so organisations will typically delegate tasks to appropriate people.

You must identify the tasks you’ll be carrying out, document the responsibilities associated with each task and assign people to perform the necessary work.

  • Define a timeline for reaction

An effective vulnerability management system will identify and address weaknesses promptly.

As such, organisations must define a timeline to react when vulnerabilities are detected. This should be a reasonable deadline based on the organisation’s resources.

  • Maintain an audit log

Documentation is an essential aspect of ISO 27001, and vulnerability management is no different. You must maintain an audit log for the actions you’ve taken as part of your vulnerability management framework.

  • Align vulnerability management with incident response

Organisations should ensure that their vulnerability management process aligns with this incident response activities.

For many organisations, their incident response process will be dictated by the GDPR (General Data Protection Regulation), which contains strict data breach notification requirements, with certain incidents having to be reported within 72 hours.

As part of the notification process, organisations must explain the steps they have taken – or will take – to manage the incident.

By ensuring that vulnerability management processes align with those activities, you support your GDPR compliance practices.

  • Ensure continual improvement

Vulnerability management is an ongoing process that requires organisations to continually monitor weaknesses and check that existing processes work as intended.

You must therefore regularly review your practices and identify anything that can be improved.

Get started with vulnerability management

Vulnerability management is one of the core components of effective information security. Regular vulnerability assessments, risk assessments, vulnerability scans and penetration tests ensure that you identify and address technical weaknesses promptly.

IT Governance’s Vulnerability Scanning Service helps you get started with this. Our fast, fully automated scanning service takes the hard work out of threat detection.

Available as a monthly subscription, this service will test your systems and detect vulnerabilities, including misconfigured firewalls and unpatched software.

You’ll also receive a detailed vulnerability assessment that gives you a breakdown of the weak spots you must address.