How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1

You have certainly already heard, or lived, this scenario: it is a normal day and the systems are working fine, when suddenly they slow down for no apparent reason or simply stop. User support starts to receive dozens of calls, and the IT staff works hard for hours to put all systems back online again. Fortunately, no data was lost, only work hours.

While treating the event, the IT staff discovers that the root cause was a weakness in one of the information systems that, by either a provoked or unintentional action, led to the systems malfunction. To make things worse, they discover that the root cause had already been identified and corrected by the manufacturer, through a procedure that takes no longer than five minutes. What a day…

This scenario is more common than you can imagine, and sometimes darker: data lost or stolen, and operational losses that make business continuity impossible. In this article I will present to you a way that ISO 27001 can help organizations deal with this kind of situation, through control A.12.6.1 – Technical vulnerability management.

What are vulnerabilities, and how do they arise?

According to ISO 27000, which provides the overview and vocabulary for ISO Information Security Management Systems, a vulnerability is “a weakness of an asset or control that could potentially be exploited by one or more threats.” It also defines a threat as any “potential cause of an unwanted incident, which may result in harm to a system or organization.”

So, a vulnerability arises when a threat finds a weakness it can exploit, but where did the weakness come from? In general, a weakness is a flaw that occurs during design, implementation, configuration, or operation of an asset or control. Weaknesses can be created by carelessness, or intentionally. Some are easy to identify / correct / exploit, while others requires some time, effort, and resources.

The ISO 27001 approach for managing vulnerabilities

Basically, ISO 27001 control A.12.6.1 locks onto three targets:

Timely identification of vulnerabilities. The sooner you discover a vulnerability, the more time you will have to correct it, or at least to warn the manufacturer about the situation, decreasing the opportunity window a potential attacker may have.

Assessment of organization’s exposure to a vulnerability. Not all organizations are affected the same way by a certain vulnerability, or set of vulnerabilities. You have to do a risk assessment to identify and prioritize those vulnerabilities that are more critical to your assets and business.

Proper measures considering the associated risks. Once you have identified the most critical vulnerabilities, you need to think about the actions and allocation of the resources you have to deal with them – that’s your risk treatment plan. The most prudent form is by considering the risk level associated with them.

ISO 27001 control A.12.6.1 – Tips for vulnerabilities management

ISO 27002 supporting orientations for vulnerability management

As supporting actions to achieve these targets, ISO 27002, which provides best practices to consider while implementing security controls like A.12.6.1, suggests:

Make an asset inventory. Effective vulnerability management depends on your knowledge of relevant information about your information assets, like software manufacturer, software version, where the software is installed, and who is responsible for each piece of software.

Define responsibilities. Vulnerability management requires many different activities to be done (e.g., monitoring, risk assessment, correction, etc.), so it is convenient to clearly define who is doing what to ensure suitable tracking of assets.

Define reference sources. Manufacturer sites, specialized forums, and special interest groups should be in your list of sources of information to be consulted about news related to vulnerabilities and correction measures. For more information about the role of special interest groups in an ISMS, please see the article Special interest groups: A useful resource to support your ISMS.

Deal with vulnerabilities through defined procedures. Independent of the urgency to deal with a vulnerability, it is important to treat it in a structured manner. Change management or incident response procedures should be considered to treat vulnerabilities, because they can guide you on what to do considering prioritization, time response, response escalation, etc.

Make records for post-event analysis (and do the analysis). Maintaining incident records of what happened and what procedures were done is vital to learn from the incident and prevent further events, or at least to minimize their impacts, as well as to improve the vulnerability management process itself. In addition, be sure to conduct periodic evaluations, so you can implement improvements, or make corrections, as soon as possible.

As an example of a vulnerability management scenario, consider the heartbleed vulnerability discovered in 2014, which allows the compromise of information through cryptographic communication. From monitoring of reference sources defined in an asset inventory, an organization can detect that this vulnerability can affect some assets classified as critical. Through change management procedures, proper actions can be planned to correct the flaw, by patch deployment, as well as minimize the risk of information leakage until the patch is applied, by encrypting sent information before transmission.

Do not be defeated by cracks in your armor

Due to market demand for ever-faster software delivery and more features, you can expect the number of vulnerabilities to became even greater, so in order to preserve the security of your information assets and business image and competitiveness, is vitally important to plan how to identify and deal with vulnerabilities. You will find out that by adjusting the recommendations proposed by ISO 27001 and 27002 to your reality, you may save a lot of worries and work, as well as minimize losses and impacts on business reputation.

To learn how to become compliant with every clause and control from Annex A and get all the required policies and procedures for controls and clauses, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Rhand Leal
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.

Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.