ISO 27701, Clause 6.9.6 – Technical Vulnerability Management

ISO 27701 Controls and Clauses Explained

Book a demo

shot,of,a,man,working,in,an,office

Technical vulnerabilities that have the potential to impact PII and privacy-related assets are almost impossible to completely eradicate, regardless of budget, staffing levels or expertise.

As such, ISO requires organisations to operate with a robust set of vulnerability management controls that both identify potential technical vulnerabilities, and provide clear guidance on the remedial action required to mitigate any commercial, operational or reputational damage.

What’s Covered in ISO 27701 Clause 6.9.6

ISO 27001 6.9.6 contains two sub-clauses that deal with the topic of vulnerability management, split between technical management, and how organisations should consider software installations:

  • ISO 27701 6.9.6.1 – Management of technical vulnerabilities (ISO 27002 Control 8.8)

  • ISO 27701 6.9.6.2 – Restriction on software installation (ISO 27002 Control 8.19)

Neither sub-clause contains any PIMS or PII-specific guidance, nor are there any UK GDPR implications to consider.

Jump to Topic
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.9.6.1 – Management of Technical Vulnerabilities

References ISO 27002 Control 8.8

Organisations should obtain an up-to-date list of all assets (see Controls 5.9 and 5.14) that are owned and operated by the organisation, including:

  • Vendor name.

  • Application name.

  • Version numbers.

  • Where the software is deployed.

  • Who is responsible for the operation of said software.

When identifying vulnerabilities that have the potential to impact upon PII and privacy protection, organisations should:

  1. Outline the personnel responsible for vulnerability management, including:

    • Asset management.

    • Risk assessment.

    • Monitoring.

    • Updating.

  2. Maintain an up-to-date inventory of applications and resources that will be used to identify technical vulnerabilities.

  3. Contact suppliers and vendors and ask them to clearly indicate vulnerabilities whenever new systems and hardware are supplied (see ISO 27002 Control 5.20).

  4. Use vulnerability scanning tool and patching facilities.

  5. Carry out periodic penetration testing.

  6. Analyse third-party code libraries and/or source code for underlying vulnerabilities and/or exploits (see ISO 27002 Control 8.28).

Public Activities

Organisations should develop policies and procedures (including automatic updates) that detect vulnerabilities across all its products and services, and receive vulnerability assessments relating to the supply of said products and services.

ISO advises organisations to make a public effort to track down any vulnerabilities – including the use of structured bounty programs – and use forums and public research activity to raise awareness of potential exploits and security issues.

If, following a security incident, remedial action has been taken that could in any way affect customers (or their perception of the data held), organisations should consider engaging with certified security specialists to distribute information about attack vectors.

Evaluating Vulnerabilities

Throughout the process of evaluating vulnerabilities, organisations should:

  • Analyse any reports and decide what action needs to be taken, including any updates or the removal of affected systems and/or hardware.

  • Agree upon a resolution that takes into account other ISO controls.

Counteracting Software Vulnerabilities

When addressing vulnerabilities after they have been identified, organisations should:

  1. Resolve all vulnerabilities in a timely and efficient manner.

  2. Adhere to organisational procedures on change management (see ISO 27002 Control 8.32) and incident response (see ISO 27002 Control 5.26), to ensure a uniform approach.

  3. Limit updates and patches to those from from trusted sources.

  4. Test updates prior to implementation.

  5. Identify high risk and business-critical systems as a priority, when planning remedial actions.

If an update is not forthcoming, and remedial action is prevented by external factors, organisations should:

  • Consult with vendors on workarounds.

  • Disable any or all affected network services.

  • Implement network security controls, including traffic rules and content filtering.

  • Increase the frequency and duration of monitoring efforts on affected systems.

  • Distribute information on the vulnerability, and ensure that all affected parties are informed – including suppliers and customers.

Relevant ISO 27002 Controls

  • ISO 27002 5.14

  • ISO 27002 5.20

  • ISO 27002 5.9

  • ISO 27002 8.20

  • ISO 27002 8.22

  • ISO 27002 8.28

Supplementary Guidance

An audit trail should be kept of all relevant vulnerability management activities, and the organisation’s vulnerability management process should be reviews to ensure it is both fit for purpose, and meets the growing needs of the organisation.

Where cloud-based software is concerned, the organisation should ensure that the service provider’s stance towards vulnerability management is aligned with its own. Organisations should seek to obtain written confirmation of any responsibilities via a binding service agreement (see ISO 27002 Control 5.32).

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 6.9.6.2 – Restriction on Software Installation

References ISO 27002 Control 8.19

In order to protect the availability and integrity of PII, and administer change, organisations should:

  • Ensure that software updates are carried out by competent personnel (see Control Control 8.5).

  • Ensure that code has safely exited the development stage, and is free from any bugs.

  • Test all software prior to update or installation, to ensure that no conflicts or errors will ensue.

  • Keep an up to date software library system.

  • Maintain a ‘configuration control system’ to administers operational software.

  • Draft a ‘rollback strategy’ that restores systems to a previously working state, to ensure business continuity.

  • Maintain a thorough log of any updates performed.

  • Ensure that unused software applications – and all their associate material – are securely stored for further use and analysis.

  • Operate with a software restriction policy, that runs in accordance with the organisation’s various roles and responsibilities.

When utilising vendor-supplied software, applications should be kept in good working order and in accordance with the issuers guidelines.

ISO makes it explicitly clear that organisations should avoid using unsupported software unless absolutely necessary. Organisations should seek to upgrade incumbent systems, rather than use out-of-date or unsupported legacy applications.

A vendor may require access to an organisation’s network in order to perform an installation or update. Such activities should be authorised and monitored at all times (see ISO 27002 Control 5.22).

Supplementary Guidance

  1. Organisations should upgrade, patch and install software in accordance with their published change management procedures.

  2. Patches that eradicate security vulnerabilities or otherwise improve organisational privacy protection should always be considered as a priority change.

  3. Organisations should take great care in using open source software, and should identify the latest publicly available version to ensure that security requirements are being met to the fullest extent.

Relevant ISO 27002 Controls

  • ISO 27002 5.22

  • ISO 27002 8.5

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.9.6.1Management of Technical Vulnerabilities8.8 – Management of Technical Vulnerabilities for ISO 27002None
6.9.6.2Restriction on Software Installation8.19 – Installation of Software on Operational Systems for ISO 27002None

How ISMS.online Helps

With the ISMS.online platform, you can integrate a PIMS to ensure that your security posture is all-in-one-place and avoids duplication where standards overlap.

It has never been easier to monitor, report, and audit against both ISO 27001 and ISO 27701 with your PIMS instantly accessible to interested parties.

Find out how much time and money you’ll save on your journey to a combined ISO 27001 and 27701 certification using ISMS.online.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now