Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp

How much common ground is shared between technical vulnerability scanners and the de facto global information security standard? Quite a lot, actually. In this blog post we examine how Holm Security VMP platform meets ISO 27001 requirements for detecting vulnerabilities in an organization’s information systems, assessing the involved risks and taking corrective actions.

What Holm Security VMP?

Holm Security Vulnerability Management Platform (VMP) provides a versatile and reliable solution to meet the requirements of the ISO 27001. Suitable targets for inspection include computers, active network devices and other information systems, as well as web applications. In addition to comprehensive scanning features, the platform includes tools to protect users and raise awareness of social engineering, as well as organizing ongoing security work.

Holm Security - Top Vulnerabilities

What does ISO27001 say about vulnerabilities?

When it comes to managing vulnerabilities, ISO27001 requires three main topics to be considered in the organization:

Scan

Scan

Information about technical vulnerabilities of information systems being used should be obtained in a timely fashion

Assess

Assess

The organization’s exposure to such vulnerabilities must be evaluated

Remediate

Remediate

Appropriate measures must be taken to address the associated risk

How does Holm Security meet the standard's requirements?

With VMP, it is possible to do both scheduled and on-demand scans. You can even find 0-day vulnerabilities soon enough and still have the time to patch those holes before problems occur. For high-risk systems, you can schedule multiple scans a day if necessary, or enable continuous monitoring to receive alerts immediately when suspicious events are detected.

Not every vulnerability poses the same risk to every organization. In VMP, it’s possible to classify assets based on their business importance and then automatically have the platform determine the risk score for each observed vulnerability.

Once the vulnerabilities have been identified and corresponding risk scores determined, VMP allows you to monitor the remediation progress and monitor allocation of available resources. It is also possible to integrate VMP with Jira.

To demonstrate compliance with the standard, you will also need compliance and trend reports for different audiences such as company management, the board and auditors. Holm Security VMP generates these reports for you, automatically.

Holm Security - Scanning Results

Asset inventory

According to ISO 27001, a current and complete inventory of assets is a must-have prerequisite for vulnerability management to be effective. Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained.

VMP provides a detailed view of assets, which is updated automatically with each scan. You can assign owners and set assets’ business criticality, an up-to-date list of open ports and vulnerability trend charts for each host individually. You might also find systems that should no longer be there in the first place, ports that should be closed or services that are in the wrong place.

Reference sources

You need to know what you’re looking for. ISO 27001 mandates that Information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology (based on the asset inventory). These information resources should be updated based on changes in the inventory or when other new or useful resources are found.

VMP is fully equipped with latest vulnerability data from various sources and constantly updated tests, so you can rest assured that not a single relevant vulnerability goes unnoticed.

Review and continuous improvement

As with any processes and practices in ISO 27001, the technical vulnerability management process also must be regularly monitored and evaluated in order to ensure its effectiveness and efficiency. With VMP, you get eg. customized dashboards, compliance reports for ISO 27001, PCI, GDPR, NIS, OWASP, PDPA, HIPAA and SOX and also benchmark reports according to CIS to support the effort.
Saku Tuominen

Saku Tuominen

Author works as information security and privacy specialist at Mint Security. He brings two decades of professional experience to the table.
Share on facebook
Share on twitter
Share on linkedin
Share on xing
Share on whatsapp

contact us

Please do contact us. We most likely respond faster than you thought,