In order to meet the requirements of ISO 27001, you must continuously identify technical vulnerabilities in your IT infrastructure, subject them to a risk assessment and minimize the risk by implementing improvement measures. To do this, you need an appropriate vulnerability management process. We explain here what this must include.

A guest contribution from our partner: Trovent Security GmbH

ISO 27001 requires clear processes for dealing with vulnerabilities

ISO 27001 defines the requirements that an ISMS (information security management system) must fulfill. An ISMS consists of procedures and rules that serve to define, control, monitor, maintain and continuously improve information security in a company on a permanent basis.

The overarching objective of the ISMS is to ensure information security, which includes in particular

• • Confidentiality,
  • integrity
  • and availability of information.

DIN ISO/IEC 27001 has existed since 2005 and has been revised several times since then. ISO/IEC 27001:2022 currently applies.

In normative Annex A of the current ISO 27001, measure A8.8 – “Management of technical vulnerabilities” – requires that a structured and comprehensible process for dealing with technical vulnerabilities is implemented as part of the implementation of an effective ISMS.

The wording in Appendix A is as follows:

“Information on technical vulnerabilities of the information systems used must be obtained, the risk to the organization from such vulnerabilities assessed and appropriate measures taken.”

The process to be implemented should be as continuous as possible in order to significantly and sustainably increase the organization’s information security level. The decisive factor here is that the quality of the assessment and the evaluation of a company’s potential attack surface in line with the actual risk depends on it being up to date. In other words, a vulnerability analysis that is already several months old will not be able to provide complete information about the current vulnerability of the IT infrastructure!

Vulnerability management: What an ISO 27001-compliant process looks like

From our practical experience, we know that in practice there is a lack of regularity and clearly structured, repeatable processes. Penetration tests or simple vulnerability scans are only carried out occasionally or even just once. As both the analyzed IT infrastructure and the world of vulnerabilities (exploits) are subject to constant change, the results of a pentest or vulnerability scan quickly lose their information value.

Regular, preferably continuous checks are therefore a “must have” in order to comply with ISO 27001!

If you want to act in accordance with the requirements of ISO 27001, your vulnerability management process should consist of at least the following basic steps:

Step 1: Preparation for vulnerability analysis

First of all, you need to find out which IT assets are available and which system-specific properties need to be taken into account when checking for vulnerabilities. Ideally, you will have the necessary data from your ISMS and/or asset management system.

But, if you are like many companies, you may not have up-to-date and complete asset information? If so, you need to conduct an initial survey, for example by means of a machine-aided discovery scan, to record all the IT assets in your IT infrastructure in order to gain a complete overview.

Step 2: Carry out a vulnerability analysis

Once the foundations have been laid, the correct parameters for the configuration of a vulnerability scan are defined and the scan is carried out. The result of the scan is typically a long list of technical vulnerabilities that are assigned to the respective IT assets scanned. It is precisely these often very extensive scan results, all of which have to be evaluated, that often drive companies to outsource this task to specialized service providers!

In most cases, some IT systems will be discovered during a scan that were not previously recorded in asset management. You then transfer the information collected (IP addresses, operating system versions, etc.) to the asset management system – ideally, this can be done (partially) automatically via existing interfaces of the vulnerability scanner and the asset management system.

Step 3: Evaluation of the results

The Common Vulnerability Scoring System (CVSS) must first be used to assess vulnerabilities. This metric takes into account various characteristics of a vulnerability in order to assess the severity of a vulnerability:

• • the attack vector – What access is needed to exploit the vulnerability?
  • the attack complexity – How complex is the exploitation for the attacker?
  • Authentication – Are user rights required to exploit the vulnerability?

However, the CVSS score alone is not enough to assess the significance of vulnerabilities! Even a technical vulnerability that is classified as serious may be harmless in the specific context of your company. Conversely, a seemingly harmless vulnerability can allow an attacker to compromise large parts of your IT infrastructure.

It is therefore important that you carry out a well-founded assessment! Assess what impact the successful exploitation of a vulnerability could have on the confidentiality, integrity and availability of your IT infrastructure and information assets. Evaluate these potential effects in the context of your company’s circumstances, particularly with regard to existing (especially vital) business processes.

Step 4: Prioritize the measures

Once you have assessed the vulnerabilities, possible improvement measures must be identified and their implementation prioritized according to the risk of each vulnerability. To do this, ask yourself questions such as:

• • Which vulnerabilities have the greatest potential for damage if successfully exploited by an attacker?
  • What is the probability that the respective vulnerability can be successfully exploited by an available exploit?

When prioritizing the measures, you should also take into account the effort required to successfully close a vulnerability.

The result of this process is a plan that takes into account the improvement measures to be implemented and the associated costs – both in terms of personnel and investment in IT infrastructure. Ultimately, the costs associated with the improvement must always be proportionate to the potential damage or possible risk reduction!

Step 5: Assignment of tasks

The ISO 27001 standard requires clear risk owners. You must therefore assign an already identified, assessed and prioritized vulnerability to a responsible person. This person is then responsible for implementing the defined improvement measure(s).

Ideally, you should use a change management system for efficiency, task assignment/management, documentation and traceability. In any case, the 27001 standard requires the implementation of appropriate change management processes (see measure A 8.32 of Annex A – Change Management). The two measures – vulnerability management and change management – therefore complement each other ideally in practice.

Step 6: Improve and remedy

The risk owner must ensure that the recommended improvement measures are implemented to eliminate or mitigate the weaknesses assigned to him. He documents the implemented measures in the change management system and supplements/updates asset information in the ISMS.

Step 7: Follow up and repeat

At the end of the process chain, you must track and verify whether the improvement measures have actually been implemented. Has the software update actually been installed? Has the necessary configuration change also been demonstrably implemented?

The task is only marked as completed in the change management system once it has been verified during a new vulnerability scan that a previously identified vulnerability has been eliminated (e.g. by installing a software update or correcting the system configuration).

And what happens after the successful elimination of vulnerabilities identified in the course of a vulnerability analysis? The vulnerability management process immediately starts all over again!

Secure system configuration with group policies: The pros and cons

Does the whole process look familiar to you? No wonder: it’s basically based on the deming cycle, also known as the PDCA cycle (Plan-Do-Check-Act).

According to ISO 27001, this cycle in the sense of continuous improvement should not just be run through once or at long intervals, but on an ongoing basis. Apart from the requirements of the 27001 standard, there are also very practical reasons why such an ongoing process is indispensable in the context of IT and information security:

• • The number of attackable vulnerabilities and malware variants is increasing daily
  • Professional attackers quickly develop exploits to take advantage of newly discovered vulnerabilities – including with the help of AI tools
  • Your company’s IT infrastructure is constantly changing and so is your potential attack surface – it changes every day!

Therefore, the requirements of the normative Annex A of ISO 27001 can only be met with a cyclically repeating vulnerability management process.

Conclusion

You can only meet the requirements of ISO 27001 if you continuously record and analyze your potential attack surface, evaluate identified vulnerabilities and proactively rectify them.

In summary, this means for your company and your IT infrastructure:

• • You must proactively obtain information about technical vulnerabilities.
  • You are required to assess each vulnerability, taking into account the actual threat to your organization.
  • Based on the severity of each vulnerability and the specific risk to your IT infrastructure, appropriate, prioritized improvement measures must be taken.

____

We recommend Trovent Security GmbH for:

Attack detection, managed detection, vulnerability management, penetration testing and more – Trovent Security reliably secures its customers’ IT infrastructure. The Bochum-based company offers cyber security solutions for prevention, detection and response from a single source.