As the saying goes, there’s no such thing as 100% secure. And that’s what this ISO27001 control recognises. With the increasingly complex digital world around us, we are sharing more and more data every day. The complexity in this network is inherently flawed, like a building with a thousand different builders and internal components. There are going to be vulnerabilities.
Our job is to ensure we understand these vulnerabilities and manage them.
What does the standard require?
The standard states that “Information about technical vulnerabilities of information systems in use shall be obtained, the organisations exposure to such vulnerability shall be evaluated and appropriate measures shall be taken.” (A8.8 – Management of technical vulnerabilities)
It is important to note that this ISO27001 control is telling you that information about vulnerabilities shall be obtained, evaluated, and treated. It doesn’t dictate the method of collecting this information, which is an important point to consider when looking at what the auditor is looking for and what you need to do.
Why is this required?
A wise person once tells me that “Technical Vulnerabilities are like windows of opportunity for cybercriminals to climb through.”
If we don’t understand where these vulnerabilities are, we risk suffering a cyber-attack because cybercriminals are always on the lookout for these flaws in our systems. For example, ‘zero day’ attacks can expose us to potential attack from bad actors. Without identifying where we are vulnerable, we leave ourselves at risk.
Technical vulnerabilities can also include out-of-date software, where these leave us at risk of system outages and business disruption because they are out of support. This can include both hardware and software that is used within your organisation.
What the auditor is looking for
For this ISO27001 control, the auditor will look for evidence of both technical and operational security measures, including;
Vulnerability Identification (Risk Management Methodologies).
Results from Penetration Tests and Vulnerability scans.
Defined roles and responsibilities (A5.2 - Information security roles and responsibilities).
Maintenance certificates for physical information systems.
Asset Management (A5.9 - Inventory of information and other associated assets)
End-point device management (A8.1 - User endpoint devices).
Awareness, training and education (A6.3 - Information security awareness, education and training).
Logs and monitoring (A8.15 – Logging & A8.16 Monitoring Activities).
Risk Register.
Management Review Meeting minutes and actions.
What do you need to do?
First, speak to your IT function or support team and find out if penetration tests or vulnerability scans are carried out. If not, then your first task is to speak to your management review team and evaluate the need to carry out a test. Penetration tests are more intensive, and costly, and tend to be carried out periodically through the year, whereas vulnerability scans happen more frequently.
But you must risk assess if a penetration test or vulnerability scan is right for you. Many people (including auditors) will immediately point to the Penetration Test or Vulnerability and think that this is all you need for this control. In fact, organisations that tell you that you need a pen test to comply with this control either don’t understand ISO27001, or they’re lying to you, just to sell a pen test!
We’re not saying you shouldn’t have a pen test or run vulnerability scans, because you probably should. They’re a very useful tool, but they are a quick fix, for something which requires a little deeper thinking. Also, penetration tests and vulnerability scans can be quite expensive, so they are beyond the reach of a lot of smaller businesses. They are not the only approach and they are not mandated by ISO27001.
Many systems, like Microsoft 365 will produce security risk assessments (and scores) that will tell you if you’re vulnerable, because of the way your system is used or configured. Speak to your IT team to identify what metrics they can extract from these systems. If you’re a MS365 user, start by asking for the MS365 score and supporting report.
Remember that this ISO27001 control is about identifying, assessing and managing technical vulnerabilities, but it doesn’t state how you should do this. We suggest you keep this in mind when running your risk reviews and workshops, because you are in fact collecting information about technical vulnerabilities during that process.
For example, someone in your IT function might raise the point that a particular system is no longer under a service contract, because of the age of the system or a lapsed support contract. Depending on the skills of the Pen Tester, they won’t always pick up this point (although they might identify that a system has reached end-of-life).
Almost every business has a website, and this needs to be included within your technical vulnerabilities review. Speak to the person who owns the management of this site (or application). Depending on what you use the site or application is used for, it will either require a deep technical review, or a simple review of the Cookies. Cookies are used on almost all sites, but you need to ensure you’re complying with the Privacy and Electronic Communications Regulations (PECR) which outlines how Cookies can be used. This is a technical vulnerability that could land you in hot water with the Information Commissioners Office (ICO).
Finally, keep in mind that this control does not mention information processing facilities. The control is focused on technical vulnerabilities of information systems, and this includes physical security systems too. For example, are the CCTV cameras you’re using a potential risk? The UK Government recently banned the use of a certain brand of CCTV (in government facilities) because of concerns about technical vulnerabilities from foreign agencies.
Look at your inventory of assets and identify what other information systems are in use, and speak to the owner of these devices to identify (and manage) any technical vulnerabilities there.
Difficulty rating
We rate this a 3 out of 5 difficulty rating. We have given this control a high rating because you will need to communicate with your technical team frequently regarding how vulnerabilities are identified and addressed. However, this doesn’t mean you need to understand what the vulnerabilities are, only that there is a process for identifying them and dealing with them. Of course, someone may ask you to provide your opinion on what kind of penetration test or vulnerability scans should be performed, which is why this task can become quite complex.
The different vulnerability scans and penetration tests are beyond the scope of this blog, but we would suggest that if you aren’t doing anything at the moment, that you assess the risk of not performing a scan with your management team.
Q&A
Do I have to do a Pen Test for this control?
No, a pen test or vulnerability scan is not mandatory. Is it a good idea? Yes. Sure. But that’s because it’s pretty easy to complete, because you simply outsource this to a specialist who will conduct the assessment and hand you a report. This does not ensure that the vulnerability is addressed.
A penetration test is a little like a car's MOT. It tells you that the technology is ‘road worthy’ at the time of testing, but it doesn’t say what will happen in a months' time. Good risk management methodologies and ongoing audits are better, but more difficult as the complexity of your systems increases.
What’s the difference between a Penetration Test and Vulnerability Scan?
A good way to think of the difference is to imagine this is something that happens in the ‘real world’. Imagine you are standing out in the street, at your house. You can see that you have a front door which is shut, but the window to the living room is open. There’s a sign on the gate that says “Beware of the dog”, but there’s no dog in sight. There’s a wall around your property, but it’s only a low wall, therefore it could easily be breached and if you had a dog, would the wall really be that low?
You have done nothing other than ‘scan’ the property for places that you might be vulnerable to attack.
Now imagine that a professional thief is looking at your property. They first try to climb the wall, and see if they wake this dog that they are meant to ‘beware’ of. Can they climb the wall? Do they wake the dog? What about that window? Can they open it and climb through? What’s on the other side? A sleeping dog, or a horde of valuable items? Although the door was closed, is it locked? Can they pick the lock? How long will it take? Can they get in?
A Penetration test will try and breach the security you have in place, show you how they gained access and what they could do once there.
Penetration tests are more intensive and therefore can be more expensive, because they require specific skills and experience.
More questions?
Remember that nothing in ISO27001 sits in isolation, so you should review our FAQ to gain answers to other aspects of the standard. Follow the links in this control to see the relationship in other controls, but if you’re still confused about this control, then please get in touch.
For information on how to implement ISO27001, you might like to consider buying our book “The Real Easy Guide to ISO27001”which is available on Amazon.