ISO 27001:2022 Annex A Control 8.8

Guidance on Identifying Vulnerabilities

Before carrying out vulnerability controls, it is essential to acquire a comprehensive and current list of physical and digital assets (refer to Annex A 5.9 and 5.14) owned and operated by the organisation.

Software asset data should comprise:

• Version numbers currently in operation.
• Where the software is deployed across the estate.
• Vendor name.
• Application name.

Organisations should strive to identify technical vulnerabilities by:

• It is essential to clearly define who in the organisation is accountable for vulnerability management from a technical point of view, fulfilling its various functions, which include (but are not limited to):
• Monitoring.
• Updating.
• Asset management.
• Risk assessment.
• Within the organisation, who is responsible for the software.
• Keep a record of applications and tools to identify technical weaknesses.
• Request suppliers and vendors to divulge any susceptibilities with new systems and hardware when providing them (as per Annex A 5.20 of ISO 27001:2022), and clearly specify as much in all applicable contracts and service agreements.
• Employ vulnerability scanning tools and patching facilities.
• Perform periodic, documented penetration tests, either by internal staff or by an authenticated third-party.
• Be aware of the potential for underlying programmatic vulnerabilities when using third-party code libraries or source code (refer to ISO 27001:2022 Annex A 8.28).

Guidance on Public Activities

Organisations should create policies and procedures that detect vulnerabilities in all their products and services and get assessments of these vulnerabilities related to their supply.

ISO advises organisations to take action to identify any vulnerabilities, and to motivate third-parties to participate in vulnerability management activities by offering bounty programs (where potential exploits are sought and reported to the organisation in exchange for a reward).

Organisations should make themselves accessible to the public through forums, public email addresses, and research so they can harness the collective knowledge of the public to protect their products and services.

Organisations should review any remedial action taken, and consider releasing relevant information to affected individuals or organisations. Moreover, they should engage with specialist security organisations to spread knowledge of vulnerabilities and attack vectors.

Organisations should think about providing an optional automated update system that customers can choose to use or not, according to their business requirements.

Guidance on Evaluating Vulnerabilities

Accurate reporting is essential for ensuring prompt and effective corrective action when security risks are detected.

Organisations should assess vulnerabilities by:

• Examine the reports thoroughly and determine what action is necessary, such as changing, updating, or eliminating impacted systems and/or equipment.
• Reach a resolution that takes into account other ISO controls (especially those related to ISO 27001:2022) and acknowledges the level of risks.

Guidance on Counteracting Software Vulnerabilities

Software vulnerabilities can be effectively tackled using a proactive approach to software updates and patch management. Ensuring regular updates and patches can help protect your system from potential threats.

Organisations should take care to retain existing software versions before making any modifications, perform thorough tests on all modifications, and apply these to a designated copy of the software.

Once vulnerabilities are identified, organisations should take action to address them:

• Aim to swiftly and effectively fix all security weaknesses.
• Where feasible, observe the organisational protocols on Change Management (see ISO 27001:2022 Annex A 8.32) and Incident Handling (see ISO 27001:2022 Annex A 5.26).
• Only apply patches and updates from reliable, certified sources, especially for third-party vendor software and equipment:
• Organisations should evaluate the data at hand to decide whether it is essential to apply automatic updates (or components of them) to purchased software and hardware.
• Before installing, test any updates to prevent any unanticipated problems in a live environment.
• Give top priority to tackling high-risk and vital business systems.
• Ensure remedial actions are successful and genuine.

In the event of no update being available, or any hindrances to installing one (e.g. cost-related), organisations ought to contemplate other methods, like:

• Requesting guidance from the vendor on a temporary fix while remedial efforts are intensified.
• Turn off any network services that are impacted by the vulnerability.
• Implementing security controls at key gateways, such as traffic regulations and filters, to protect the network.
• Step up surveillance in proportion to the associated risk.
• Make sure all concerned parties are aware of the flaw, including vendors and purchasers.
• Delay the update and evaluate the risks, particularly noting any potential operational costs.

Accompanying Annex A Controls

• ISO 27001:2022 Annex A 5.14
• ISO 27001:2022 Annex A 5.20
• ISO 27001:2022 Annex A 5.9
• ISO 27001:2022 Annex A 8.20
• ISO 27001:2022 Annex A 8.22
• ISO 27001:2022 Annex A 8.28

Supplementary Guidance on Annex A 8.8

Organisations should maintain an audit trail of all pertinent vulnerability management activities to assist with corrective action and advance protocols in case of a security breach.

Periodically assessing and reviewing the entire vulnerability management process is a great way to enhance performance and proactively identify any vulnerabilities.

If the organisation employs a cloud service provider, they should ensure the provider’s approach to vulnerability management is compatible with their own and should be included in the binding service agreement between both parties, including any reporting procedures (see ISO 27001:2022 Annex A 5.32).

Changes and Differences from ISO 27001:2013

ISO 27001:2022 Annex A 8.8 supersedes two Annex A Controls from ISO 27001:2013, these are:

• 12.6.1 – Management of technical vulnerabilities
• 18.2.3 – Technical compliance review

ISO 27001:2022 Annex A 8.8 introduces a new, distinct approach to vulnerability management than that found in ISO 27001:2013. It is a noteworthy divergence from the prior standard.

ISO 27001:2013 Annex A 12.6.1 mainly focused on putting corrective measures in place once a vulnerability is detected, whereas Annex A 18.2.3 only applies to technical means (largely penetration testing).

ISO 27001:2022 Annex A 8.8 introduces new sections dealing with an organisation’s public responsibilities, methods for recognising vulnerabilities, and the part cloud providers play in keeping vulnerabilities at a minimum.

ISO 27001:2022 places strong emphasis on the role of vulnerability management in other areas (such as change management) and encourages taking a holistic approach, incorporating several other controls and information security processes.

Table of All ISO 27001:2022 Annex A Controls

In the table below you’ll find more information on each individual ISO 27001:2022 Annex A Control.

How ISMS.online Help

Our platform is user-friendly and straightforward. It’s meant for everyone in the organisation, not just tech-savvy people. We recommend involving personnel from all levels of the business in constructing your ISMS as this helps create a system that will last.

Get in contact now to arrange a demonstration.