ISO 27001 focuses on the information of an organization that is worthy of protection: its protection, confidentiality, integrity and availability. ISO 27001 is an international standard for information security in private, public or non-profit organizations. The standard describes requirements for the establishment, implementation, operation and optimization of a documented information security management system (ISMS). The main focus of the management system is on the identification, handling and treatment of risks.

What are the dangers and risks for information security?

Vulnerability management in the context of ISO 27001 refers to technical vulnerabilities. These may lead to threats to the IT security of companies and organizations. These include:

  • Ransomware, an extortion software, which may lead to the encryption of data storage media and the acquisition of compromising information
  • Remote Access Trojan (RAT), which may allow remote access to the network
  • Phishing and SPAM, which may lead to a loss of control over e-mail. A particularly popular gateway here is the European Basic Data Protection Regulation (GDPR) and the request in an e-mail to check customer data by clicking on a link. Often, the senders pretend to be banks or even PayPal.
  • Distributed Denial of Service (DDoS)/Botnets, which, due to huge data packets, may lead to a reduction in the availability and integrity of the systems
  • State-sponsored cyber-terrorists, activists, criminals, and insiders who pose a wide range of threats
  • Deficient or missing processes

In order to identify weaknesses and security gaps resulting from these dangers, it is necessary to determine the need for protection with ISO 27001, because this creates a systematic vulnerability management for securing the IT infrastructure with continuous vulnerability assessment.

Deficient processes – a threat to information security?

A realistic risk assessment is not possible without a process of analyzing system logs and log data, knowledge of technical vulnerabilities and a more in-depth examination of IT systems. Similarly, a missing or faulty process does not allow the definition of risk acceptance criteria or the determination of the risk level – as required by ISO 27001.

As a result, the risk for IT security and thus for the information security of a company cannot be determined and the highest possible risk for this company must be assumed.

Vulnerability management in the Context Of ISO 27001: optimum protection of infrastructure

One possible appropriate measure to protect the IT infrastructure is the management of possible weak points and security gaps. In this context, systematic, network-controlled scanning and penetration tests of all systems for technical vulnerabilities are carried out regularly. Weak points identified from these tests are recorded in the information security management system (ISMS) according to ISO 27001.

It is also important to define the threats to IT security – as well as the overall information security. The technical weak points are to be prioritized according to their severity (CVSS) and finally eliminated. An assessment of the residual risk due to remaining technical weaknesses and ultimately a degree of risk acceptance also fall under the vulnerability management according to ISO 27001.

How can an organization protect itself from a technical vulnerability?

An organization may protect itself from malware, for example, by introducing and implementing measures for detection, prevention and data protection in conjunction with appropriate user awareness. What that means in detail for vulnerability management in the context of ISO 27001 is that in order to prevent the exploitation of a technical vulnerability, it is necessary to:

  • obtain timely information about the technical weaknesses of the information systems used
  • evaluate their hazardousness and
  • take appropriate measures.

This may be done by installing security patches (patch management), isolating endangered IT systems or ultimately by shutting down systems. Furthermore, rules for software installation by users must be defined and implemented.

Important questions about vulnerability management and the ISO 27001 security concept

The following questions may be asked in the course of an audit, which is why it is useful to deal with them in advance:

  • Have you defined roles and responsibilities for handling and monitoring technical vulnerabilities?
  • Have you identified sources of information that may help identify technical vulnerabilities?
  • Is there a deadline for taking action in response to notification and detection of a vulnerability?
  • Have you conducted a risk assessment of the vulnerabilities with a view to, among other things, corporate values?
  • Do you know your technical vulnerabilities?


Vulnerability management in the context of ISO 27001 is a continuous process that must be performed regularly. According to ISO 27001, the results must be valid, i.e. a one-time vulnerability assessment and risk evaluation for implementation or certification at a later point in time, for example during recertification, is no longer valid. A vulnerability scan is only valid at the exact moment it is performed. Nevertheless, if software updates are made later or changes are made to the topology, these may lead to new vulnerabilities. It is therefore important for every organization to continuously track, verify and repeat the vulnerability management processes and to enter the corresponding information into the information security management system.

Appendix – Common Vulnerability Scoring System (CVSS)

The industry standard “CVSS – Common Vulnerability Scoring System” is used to assess the severity of a vulnerability. An overall value from 0 to 10 is determined from the Base Score Metrics, which among other things deal with these questions:

  • How “close” must the attacker get to the vulnerable system (attack vector)?
  • How easily does the attacker get to the target (attack complexity)?
  • Which access rights are required to exploit the vulnerability (privileges required)?
  • Do you need helpers, e.g. a user who must first follow a link (user interaction)?
  • Is the confidentiality impaired (confidentiality impact)?

A CVSS calculator can be found on the pages of the US National Institute of Standards and Technology (NIST):

Author and Source

Article by Hans-Jürgen Fengler, DQS Expert for Information Security, Data Protection and Business Continuity.
Source: DQS Holding GmbH

ISMS Certification / 資訊安全管理體系認證

Does your organization has any management system in place to address the risks associated with information security? Click here to learn more about how a management system certification based on ISO 27001:2013 can help you tackle such challenges.

貴組織是否存在一個管理體系來應對與資訊安全相關的風險?按此進一步了解關於如何利用 ISO 27001:2013 資訊安全管理體系認證來應對這些挑戰。