10 September, 2019
Penetration Testing for ISO 27001 Control A.12.6.1
Out of all the security standards that have been prescribed by various bodies and organizations so far, ISO 27001:2013 has been the most popular one – without any doubt. Containing ten clauses and 114 controls, this standard has also served as a stepping stone for many organizations to improvise their information security policies and procedures. In this post, we will explore whether Control A.12.6.1 requires penetration testing or not. If not, how to implement this control, and if yes, what are the requirements?
Control A.12.6.1 – Management of technical vulnerabilities
This control is given under A.12 Operations Security – A.12.6 Technical Vulnerability Management. The objective of A.12.6 is to prevent the exploitation of technical vulnerabilities. Control A.12.6.1 – Management of technical vulnerabilities states that an organization must obtain information about technical vulnerabilities of information systems in a timely manner. An organization’s exposure to such technical vulnerabilities shall be evaluated, and appropriate measures must be taken to address the associated risks.
Implementation Guidance for Control A.12.6.1.
The implementation guidance is given for this control in ISO 27002:2013 specifies that a complete inventory of existing assets is a prerequisite for effective technical vulnerability management. Technical vulnerability management has to be supported by specific information such as software vendor, version control, existing deployment states, and individuals responsible for each software. It goes on to state that timely and appropriate actions should be taken in response to identifying potential technical vulnerabilities. To establish an effective technical vulnerability management program, the following actions are recommended –
- Defining and establishing roles and responsibilities related to technical vulnerability management, including vulnerability monitoring, patching, vulnerability risk assessment, asset tracking, and other possible coordination required.
- Identifying information resources required to identify relevant technical vulnerabilities and maintain awareness about them.
- Defining a timeline to react to potentially relevant technical vulnerabilities.
- Identifying associated risks and actions to be taken after a potential technical vulnerability has been identified.
- Carrying out the relevant actions depending upon how urgently a technical vulnerability needs to be addressed.
- Assessing the risks associated with installing a patch, even if it is available from a legitimate source.
- Testing and evaluating patches before they are installed on systems so that they do not have side effects and are effective.
- Maintaining audit records.
- Monitoring and evaluating the technical vulnerability management process.
- Defining a procedure to address a situation when an identified technical vulnerability has no suitable countermeasures.
Vulnerability Management & Penetration Testing
When a vulnerability scan is performed, an organization can identify various technical vulnerabilities such as SQLi, XSS, CSRF, weak passwords, etc. However, to exploit these vulnerabilities in a real-time environment, penetration testing exercises need to be performed. As we have discussed above, A.12.6.1 only talks about vulnerability management, not exploitation. After a vulnerability scan, penetration testing is generally performed to exploit the detected vulnerabilities.
Control A.12.6.1 requires an organization to implement effective technical vulnerability management so that the exploitation of technical vulnerabilities can be prevented. So, the question comes – does an organization need to perform penetration testing to prevent exploitation of technical vulnerabilities by actors with malicious intent?
Not necessarily, because after a vulnerability scan is conducted, an organization knows that its systems are vulnerable to certain vulnerabilities. Moreover, at this point essentially, the requirements of control A.12.6.1 are fulfilled. However, it is recommended that an organization must conduct penetration testing exercises, in addition to meeting the requirements of control A.12.6.1, so that it has better insights while quantifying the possible damages if the detected technical vulnerabilities are exploited successfully.