ISO 27001 Annex : A.12.6 Technical Vulnerability Management

A.12.6.1  Management of Technical Vulnerabilities

Control- Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved

Implementation Guidance – An up-to-date and comprehensive asset inventory is necessary for the effective management of technical vulnerability (see Clause 8). The software vendor, version numbers, current installation status ( e.g. what the software on which systems are installed), and the person(s) within the organization responsible for the software are included in the basic details required to support technological vulnerability management.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

In order to identify potential technical vulnerabilities, appropriate and timely action should be taken. To establish an efficient management process for technical vulnerabilities, the following guidelines should be followed:

1. The organization should define and define technical vulnerability management roles and responsibilities, including vulnerability monitoring, risk assessment of vulnerability, asset patching, asset tracking, and any necessary coordination responsibilities.
2. Informative resources to identify and raise awareness about the relevant technical vulnerabilities for the software and other technology (based on the asset inventory list, Refer 8.1.1), should be updated based on inventory changes and other new or useful resources;
3. A timeline to respond to potentially relevant technical vulnerabilities notifications should be defined;
4. The organization will recognize the associated risks and acts when a potential technological weakness has been identified; these acts may include patching compromised systems, or enforcing other controls;
5. Actions should be carried out according to changes management protocols or following incident response procedures in information security, depending on the degree to which a technical problem needs to be handled.
6. The risk of the installation of a patch should be measured (those risks raised by the vulnerability must be compared to the risk of installing the patch) if a patch is available from a valid source;
7. Before downloading the patch, it must be checked and reviewed to make sure that it is safe and does not lead to side effects that can not be tolerated; other tests, such as:

• Switching off vulnerability related services or capabilities;
• Adapting or adding network boundary access controls, such as firewalls;
• Enhanced surveillance for real attacks;
• Increase vulnerability awareness;

8. .For all procedures undertaken, an audit log should be maintained;
9. In order to ensure its efficiency and effectiveness, the technical vulnerability management process should be monitored and assessed regularly;
10. High-risk systems should be addressed first
11. The incident management activities should be compatible with effective technical vulnerability management processes to relay vulnerability information to the incident response mechanism and provide appropriate procedures that may occur;
12. Defining a procedure to tackle a situation that has identified a vulnerability, yet no appropriate countermeasure exists. The organization should in this situation assess the risks associated with the known vulnerability and define appropriate detective and corrective measures.