ISO/IEC (International Organisation for Standardisation/International Electrotechnical Commission) 2700 (latest version 2013) or simply ISO27001, is a international framework that sets out specifications that help organisations establish, implement, operate, monitor, review, maintain and continually improve their Information Security Management System (ISMS).
The ISO27001 best-practice approach helps organisations manage their information security by addressing not only processes and technolog, but also people.
Independently accredited certification to the Standard is recognised internationally, indicating that your ISMS is aligned with information security best practices.
Laneden can offer services to help achieve and maintain your accreditation.
ISMS Online, https://www.isms.online
ISMS Online, https://www.isms.online
Annex A.12.6.1 Management of Technical Vulnerabilities, this annex is about technical vulnerability management. The objective here is to prevent the exploitation of technical vulnerabilities.
Concentrating efforts on three key areas:
- Timely identification of security vulnerabilities;
- The sooner you discover a vulnerability, the more time you will have to correct it, or at least to warn the manufacturer about the situation, decreasing the opportunity window a potential attacker may have.
- Assessment of organization’s exposure to a vulnerability.
- Not all organizations are affected the same way by a certain vulnerability, or set of vulnerabilities. You have to do a risk assessment to identify and prioritize those vulnerabilities that are more critical to your assets and business.
- Proper measures considering the associated risks.
- Once you have identified the most critical vulnerabilities, you need to think about the actions and allocation of the resources you have to deal with them – that’s your risk treatment plan. The most prudent form is by considering the risk level associated with them.
Laneden can help build a program of works to help your organisation achieve regular security testing, to understand the effectiveness of your technical controls, and help ensure security risks are defined and mitigation understood.
Providing a thorough and independent examination to identify security vulnerabilities within the software, systems, and network configurations.
Laneden can provide an on-site debriefing of the findings explaining how attackers could potentially gain control of your systems and exfiltrate data.
A comprehensive report is written containing an executive summary and is consumable by anyone in the organisation regardless of their technical background.
Along with enough detail to allow you to not only understand the risks but also concise and clear guidance on how to either mitigate or remediate those concerns.
ISMS Online, https://www.isms.online
Using a combination of automated and manual testing, our consultants will conduct a thorough assessment of your infrastructure, identifying vulnerabilities that may be exploitable by both authenticated and unauthenticated users across your network.
The use of automated tools and in-depth knowledge of manual testing allows us to accurately and effectively assess your infrastructure, maximising the time available.
Assessments are conducted in line with the current standards and methodologies utilised in the industry, such as those outlined in the Penetration Testing Execution Standard (PTES). Using PTES as guidance, Laneden defines our approach in six phases:
- Pre-engagement
- Intelligence Gathering
- Vulnerability Analysis
- Exploitation
- Post Exploitation
- Reporting
Our consultants engage with the client to discuss the scope and make certain all is in order prior to the assessment beginning
Communications at the beginning and end of each assessment day, confirming either the assessment is starting or ending for the day.
On-going communications from the engaged engineer, highlighting any major issues as they come across them.
A comprehensive report is provided containing an executive summary which gets right to the point of the associated risks and is consumable by anyone in the organisation regardless of their technical background.
Clear and concise information describing each issue to hand.
Technical references will be provided when relevant, allowing you to gather more information on the vulnerability if required.
Each vulnerability will be put into context and given a risk-based score. Utilising CVSS 3 scoring and relevant context you can get a real picture for each associated risk.
Simple remediation advice, advising what is required to remediate the relevant vulnerability.
FREQUENTLY ASKED QUESTIONS
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
No, it is not a requirment to undergo a penetration test to be ISO27001 compliant.
A12.6.1 states that;
- ‘information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk’.
This means a simple vulnerability assessment, rather than a full penetration test would suffice in identifying known vulnerabilities. However, a full penetration test has benefits above and beyond that of a vulnerability assessment.
A penetration test can help prioritise concerns and give further insight into the risk, potentially showing what information could be compromised, how this information could be exfiltrated and how a cyber assailant could get a foothold into your systems or network.
Assessments are usually conducted once the scope of the ISMS, and its associated assets, have been identified. There are other stages that may benefit from security testing. These include, when identifying vulnerabilities as part of the risk assessment process or when ensuring that the controls put in place are effective.