The basics
ISO 27001 control A.8.8 Management of technical vulnerabilities requires companies to obtain information about vulnerabilities in their IT systems and to define what to do about those vulnerabilities. This is important because the sooner a vulnerability is eliminated, the lower the risk of an incident.
Documentation
ISO 27001 control A.8.8 Management of technical vulnerabilities can be documented:
- for smaller and mid-sized companies by writing a Security Procedures for IT Department
- for larger companies by writing a Technical Vulnerabilities Management Procedure.
These documents are not mandatory, but are recommended.
Implementation
In order to comply with control A.8.8 Management of technical vulnerabilities you might implement the following:
- Technology — the technology to manage technical vulnerabilities could include specialized software to assess applications and devices. Smaller companies may rely on using such technologies from time to time, while bigger companies may need to use a continuous service.
- Organization/processes — you should set up a process for gathering information about vulnerabilities in your systems by contacting manufacturers and security groups, monitoring notifications about vulnerabilities, and defining what to do about those vulnerabilities. You can document those processes through Security Procedures for IT Department or a Technical Vulnerabilities Management Procedure.
- People — make employees aware that the sooner a vulnerability is identified and eliminated the lower the risk of an incident, and train the IT staff on how to use vulnerability assessment software and gather information about vulnerabilities.
Audit evidence
During the certification audit, the auditor might look for the following evidence regarding control A.8.8 Management of technical vulnerabilities: if information about technical vulnerabilities related to relevant information systems is obtained, the company’s exposure is evaluated, and proper actions are taken.
