ISO 27001 focuses on an organization's sensitive, valuable information: Its protection, its confidentiality, its integrity, and its availability. ISO 27001 is an international standard for information security in private, public or non-profit organizations. The standard describes requirements for the establishment, implementation, operation, and optimization of a documented information security management system (ISMS). The main focus of the management system is on the identification, handling, and treatment of risks.


What are the threats and risks to information security?

Vulnerability management in the context of ISO 27001 refers to technical vulnerabilities. These can lead to threats to the IT security of companies and organizations. These include:

  • Ransomware, an extortion software that can lead to the encryption of data media and the obtaining of compromising information
  • Remote Access Trojan (RAT), which can allow remote access to the network
  • Phishing and SPAM, which can lead to loss of control via email. Here, a particularly popular gateway is the General Data Protection Regulation (GDPR) and the request in an email to check customer data by clicking on a link. Often, the senders appear to be banks or even PayPal.
  • DDoS/botnets, which can lead to the impairment of the availability and integrity of systems due to huge data packets
  • State-sponsored cyberterrorists, activists, criminals as well as inside perpetrators that bring a wide variety of threats
  • Inadequate or missing processes

Identifying vulnerabilities and security gaps that arise from these threats requires a protection needs assessment with ISO 27001, because this results in systematic vulnerability management to secure the IT infrastructure with continuous vulnerability assessment.


ISO/IEC 27001:2013 Information technology — Security techniques — Information security management systems — Requirements


Faulty processes - A threat to information security?

Without a process of analyzing system logs and log data, knowledge of technical vulnerabilities, and a more in-depth review of IT systems, a realistic risk assessment is not possible. Nor does a lack of or flawed process allow for the establishment of risk acceptance criteria or the determination of risk levels - as required by ISO 27001.

It follows that the risk to IT security, and thus to the information security of an enterprise, cannot be determined and must be assumed to be the highest possible risk for that enterprise.

Vulnerability management in the context of ISO 27001: Optimally securing infrastructure

One possible appropriate measure for securing the IT infrastructure is the management of potential vulnerabilities and security gaps. This involves regular, systematic, network-controlled scanning and penetration tests of all systems for technical vulnerabilities. Any vulnerabilities identified are recorded in the information security management system (ISMS) in accordance with ISO 27001.

It is likewise important to define the threats to IT security - as well as overarching information security. In this context, the technical vulnerabilities must be prioritized according to severity (CVSS) and ultimately remedied. An assessment of the residual risk from remaining technical vulnerabilities and, ultimately, risk acceptance are also part of vulnerability management according to ISO 27001.

To assess the severity of a vulnerability, the industry standard "CVSS - Common Vulnerability Scoring System" can be used. An overall score of 0 to 10 is determined from the Base Score Metrics, which address these questions, among others: How "close" does the attacker need to get to the vulnerable system (Attack Vector)? How easily does the attacker reach the target (Attack Complexity)? What access rights are required to exploit the vulnerability (Privileges Required)? Do you need helpers, e.g. a user who must first follow a link (User Interaction)? Is confidentiality compromised (Confidentiality Impact)?

A CVSS calculator can be found on the U.S. National Institute of Standards and Technology (NIST) pages.


How can a company protect itself from technical vulnerabilities?

For example, a company can preventively protect itself against malware by introducing and implementing detection, prevention, and data security measures in conjunction with appropriate user awareness. In detail, this means: To prevent the exploitation of a technical vulnerability in ISO 27001's context of vulnerability management, it is necessary to:

  • Obtain timely information about the technical vulnerabilities of the information systems used
  • Assess their vulnerability, and
  • Take appropriate measures

This can be done by installing security patches (patch management), isolating vulnerable IT systems or ultimately via system shutdowns. Furthermore, rules for software installation by users must be defined and implemented.

Important questions about vulnerability management and the ISO 20071 security concept

The following questions could be asked during an audit, so it makes sense to address them in advance:

  • Have you defined roles and responsibilities for dealing with and monitoring technical vulnerabilities?
  • Have you learned about sources of information that can be used to identify technical vulnerabilities?
  • Is there a deadline for responding with action when a vulnerability is notified and discovered?
  • Have you conducted a risk assessment of the vulnerabilities with regard to company assets, among other things?
  • Do you know your technical vulnerabilities?

If you would like to get a comprehensive and well-founded overview of Germany's threats in the cyber space, you can find the "Situation Report on IT Security 2019" in English from the German Federal Office for Information Security (BSI) at


Vulnerability management in the context of ISO 27001 is a continuous process that must be carried out regularly. According to ISO 27001, the results must be "valid". That means that a one-time vulnerability scan and assessment of risks for implementation or certification is no longer valid at a later point in time, for example during recertification.

A vulnerability scan is only valid at the exact moment it is performed. But if software updates are made later or changes are made to the topology, these can lead to new vulnerabilities.

Therefore, it is important for any organization to continuously track, verify and repeat vulnerability management processes and carry the relevant information into the information security management system.

dqs-question-answer-question mark on wooden cubes on table

ISO 27001 certification

What effort do you have to reckon with to have your ISMS certified according to ISO 27001? Get information free of charge and without obligation.

We look forward to talking to you.

DQS. Simply leveraging Quality.

We consider ourselves important partners of our customers, with whom we work at eye level to achieve sustainable added value. Our goal is to give organizations important value-adding impulses for their entrepeneurial success through the simplest processes, as well as the utmost adherence to deadlines and reliability.

Our core competencies lie in the performance of certification audits and assessments. This makes us one of the leading providers worldwide with the claim to set new benchmarks in reliability, quality, and customer orientation at all times.

André Saeckel

Product manager at DQS for information security management. As a standards expert for the area of information security and IT security catalog (critical infrastructures), André Säckel is responsible for the following standards and industry-specific standards, among others: ISO 27001, ISIS12, ISO 20000-1, KRITIS and TISAX (information security in the automotive industry). He is also a member of the ISO/IEC JTC 1/SC 27/WG 1 working group as a national delegate of the German Institute for Standardization DIN.

<p>DQS Standard Expert Information Security</p>