What is Vulnerability Management (ISO 27002) under ISO 27001?
Vulnerability! Yes, who or what is not these days. Physically, mentally, financially, or worse for some people: phone drops into a mountain ravine. Thank god (or whoever) the pictures and other data are stored in the cloud. Oh, but they're also at risk there.... and here we are … crying anyway…
It's one thing if your landscape or dog pictures could be hacked, yes maybe even briefly your PayPal account or the mean chat messages with the best buddies about the lame buddies. But can you compare that to the vulnerability of corporate data? Personally, maybe, but the vulnerability of data that thrives in business is ultimately impossible to compare, so let's see what vulnerability management can do here.
Definition of Vulnerability Management (ISO 27002)
As the word implies, vulnerability management is about the vulnerabilities in an organization's systems. Logically, the purpose of this process is to identify them and fix them if necessary.
It is an essential part of information security and is not "only" considered in ISO 27001. It even has its own name: ISO 27002. Aw, poor middle child ;).
Actually, a good moment to clarify the terms ISO 27001, ISO 27002 and ISO 27005 (Information Security Risk Management) and how they relate to each other. There is no "difference" between these three terms. ISO 27001 is the main character in this movie! ISO 27005 and ISO 27002 are only supporting actors, but they bring the movie to the screen! So, each of the standards in the ISO 27000 series has a specific focus.
So back to the Vulnerability Management, now also known as ISO 27002. This is a detailed supplemental guide to the security controls in ISO 27001. ISO 27002 thus provides a guide to best practices in selecting and implementing the controls listed in ISO 27001.
The Official ISO 27002 Wording: This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations within the context of an information security management system (ISMS) based on ISO/IEC27001. Responsible for implementing information security controls based on internationally recognized best practices and for developing organization-specific information security management guidelines.
Thus, vulnerability management is a process consisting of five key steps, or better explained: The vulnerability management cycle consists of five main phases because it is continuous. This makes sense. After all, once is not once in this case. At least in the monitoring of data and systems!
How does Vulnerability Management works - the 5 phases
1. Identification of assets that may have vulnerabilities
In the world of business, an asset is any type of data, equipment or other component of a company's systems that has value. Precisely because these assets sometimes contain very sensitive information or are used to perform important business operations, they are of particular importance.
2. Risk assessment
This is the process of identifying vulnerabilities in these assets. As a rule, one starts with a vulnerability scan. If required, a more detailed assessment through a penetration test is necessary. Wanna know more about risk assessment? Click here!
3. Document your findings
The report should prioritize the most important risks and identify mitigation strategies. Examples of such strategies include software updates, reconfiguring equipment, or implementing new risk mitigation policies.
These descriptions of risk mitigation strategies should be as detailed and comprehensive as possible. In the best case scenario, they should even include step-by-step instructions.
4. Implement remediation strategies
When the document is complete, you can implement the remediation strategies mentioned in the earlier section.
5. Verify the success of your strategies
This allows you to determine whether the identified weaknesses have been adequately addressed. Along the way, it provides transparency and responsibility throughout the organization.
As mentioned above: The vulnerability management process is circular. New vulnerabilities emerge all the time, so you need to constantly monitor risks and repeat the five steps described above.
The ISO 27001 approach to vulnerability management
The vulnerability management approach described above has many similarities with the general ISO 27001 risk management framework.
The standard focuses on a risk assessment that aims to protect the confidentiality, integrity and availability of sensitive information. Nothing new! Vulnerabilities are one of the elements of risk. Don't weak points always represent a risk? If my engine makes funny noises, it's not completely out of the question that it will soon start smoking, too. So it's clear that vulnerability management is part of the standard's overall approach to risk management.
"Risk" is defined in the ISO 27001 standard as a combination of an asset, a threat, and a vulnerability. Thus, an information security risk exists when "something" is compromised (an asset), an actor can leverage it (a threat), and there is a way to do so (a vulnerability).
ISO 27002 is used to implement the controls of ISO 27001
Overall, then, it provides practical guidance for implementing an ISMS and thus implementing the requirements of ISO 27001.
Let's dive deeper into what needs to be done:
Creation of an inventory of assets
Again, to clarify, an inventory is a list of the information assets that an organization owns. Creating such a list is critical to managing the inventory and thus reducing information security risks.
And assets usually mean everything that is valuable to a company, all storage media and confidential information, as well as property and equipment.
For vulnerability management purposes, you only need the list of assets that may be affected by technical vulnerabilities. The office dog doesn’t count here.
Define roles and responsibilities
Vulnerability management is a complex process, so companies are well advised to delegate these tasks to suitable people.
The tasks to be completed must in turn be defined together with the selected employees. In concrete terms, this means that the responsibilities associated with each task must be documented and employees must be clearly assigned to perform their tasks!
Define a schedule for the reaction
An effective vulnerability management system detects and remediates vulnerabilities immediately. But the urgency can sometimes be misjudged. Therefore, organizations need to establish a timeframe for responding to vulnerability discovery. This should be a reasonable time period based on the organization's capabilities. In short, not in three months, because currently the summer break is running. Accountability should not be stretched too far when it comes to sensitive information.
Keep an audit log
Basically, documentation is the essential aspect of ISO 27001, and vulnerability management follows suit. So you need to keep an audit log for the measures you have implemented as part of your vulnerability management. This is actually not an obligation that comes unexpectedly. It's ISO 27001 in the house!
Align vulnerability management and incident response
Organizations should make sure their vulnerability management process is aligned with incident reaction activities. For numerous organizations, incident response is mandated by the GDPR (General Data Protection Regulation), which includes strict data breach notification requirements, with significant incidents to be reported within 72 hours.
As part of this notification process, organizations must describe the steps they have taken or will take, as appropriate, to address the incident.
Ensuring continuous improvement
Vulnerability management is, like everything within an information security management system, a continuous process that demands organizations to continually monitor vulnerabilities and check that existing procedures are working as intended.
Therefore, again no surprise, you need to check your procedures regularly and identify anything that can be enhanced.
Important in the end: ISO 27002 is not a mandatory requirement for ISO 27001 certification, nor can a company be certified only to ISO 27002. That's like saying the oldest child gets to drive the car, but the younger child can at least help find the right way to a spot with a breathtaking view. Because yes, there are still areas in the world where the internet doesn't work, so you need a good companion.
So, all these procedures, processes, audits, all this is part of a high-quality ISO 27001 certification, with which you make clear, recognized worldwide, how well you handle your and other organizations' information and data! It's worth it!
And Vulnerability management is one of the most important components of effective information security. Regular vulnerability assessments, risk assessments, vulnerability scans, and penetration tests ensure that you identify and address technical vulnerabilities in a timely manner.