In this instalment of our ISO 27001:2022 blog series, we delve into two critical controls from Annex A: A.8.08 Management of Technical Vulnerabilities and A.8.09 Configuration Management. These controls are vital for maintaining a secure and resilient information security environment, helping organisations proactively address vulnerabilities and establish robust configuration practices. In this post, we’ll explore key considerations, practical steps, and best practices to ensure effective implementation of these controls, enabling your organisation to meet ISO 27001 requirements while safeguarding its assets against evolving threats.
A.8.8 Management of technical vulnerabilities
The aim of this control is pretty much what it says in the title… to prevent the exploitation of technical vulnerabilities.
To manage technical vulnerabilities, the asset register determined in A.5.9 - covered in this blog post, should be used as it will contain all of the information of each system including its current version, and who is responsible for it, including the vendor details.
Roles and responsibilities for handling the different aspects of vulnerability management should be established including monitoring, vulnerability risk assessment, updating, asset tracking.
The management of technical vulnerabilities requires a procedure to handle:
- Identification of technical vulnerabilities
- Evaluation of technical vulnerabilities
- Addressing technical vulnerabilities
Vulnerability Identification
Vulnerabilities can be identified and discovered in a number of ways depending on the nature of the vulnerability and the system.
Vulnerability scanning or assessment tools can be used to identify any vulnerabilities and verify whether patching has been successful. Additionally, penetration tests can be planned and performed by authorised persons to support identification of vulnerabilities.
Ensuring that any third-party software and libraries are tracked and supporting resources monitored to keep abreast of vulnerabilities and issues or receive vulnerability reports which are found by other parties or users of the software.
Evaluation of vulnerabilities
Vulnerabilities should be evaluated by analysing and verifying any reports received and then determining the next course of action to respond and remediate the issue.
Once a potential vulnerability has been identified, any associated risks and actions to be taken should be identified. Often the actions required will involve updating a vulnerable system or library or applying other controls.
Addressing Vulnerabilities
Addressing vulnerabilities often involves applying the most up to date patches and application updates for the software or system.
Often, suppliers will often automatically release patches and updates to their systems, especially cloud providers or other SaaS products which you may use. Ensure that these are covered within any SLA you may have with them.
When determining how to address a vulnerability, consider the risks associated with the vulnerability and the efforts required for remediation. Based on the urgency and risk with remediation, the actions should be implemented following the Change Management procedure outlined in A.8.32 or following information security incident response procedures in A.5.26.
As per any other change, any remediation should be tested to confirm that remediation or mitigation is effective, and there is no regression of functionality. If there are breaking changes included as part of the update to third party library or system, efforts to update any other functionality affected will also need to be estimated and planned.
For those vulnerabilities where there is no immediate remediation available, or if you have to wait for a software update to be implemented and released, other controls can be considered such as workarounds suggested by the supplier or other relevant source. These can also include controls such as shielding vulnerable systems, devices or applications through suitable traffic filters
It should probably go without saying that an audit log should be kept for all steps in the technical vulnerability management process, and that this process should be aligned with incident management processes and the change management processes.
A.8.9 Configuration management
This control aims to ensure that your systems, function correctly with required security settings and configuration is not altered by unauthorised or incorrect changes. This applies to your hardware, software, services and network functions.
The process for configurating your systems should be defined and implemented using established processes and tools to enforce the configurations defined. The processes should define the roles, responsibilities required to control all changes to configurations.
Your configurations should be based on standard templates which you develop for each of the systems. When creating the templates, the following should be considered:
- Minimising identities with administrator level access rights
- Disabling or restricting unnecessary functions or services
- Changing vendor default authentication information immediately after installation
- Ensuring licensing requirements are met
Logs should be maintained of any changes to configurations which should be stored securely. Configurations should also be included in your system management tools including maintenance utilities, enterprise management tools, backup and restoration.
Other Posts
- Other posts in the series can be found at: A Strategic Approach to ISO 27001 Implementation
- Read the previous post in the series: Optimising Capacity and Defending Against Malware: A.8.06 & A.8.07 Explained
- Read the next post in the series: If you don’t have it, malicious actors can’t get it. Deleting, masking and preventing data leakage with controls A.8.10 and A.8.11
DQS Newsletter
Stay informed and subscribe to our newsletter!
Author
Brad Fabiny
DQS Product Manager - Cyber Security and auditor for the ISO 9001, ISO 27001 standards and information security management systems (ISMS) with extensive experience in software development.
Loading...
