We are tasked to establish a document on Web Application Vulnerability Assessment on public facing websites as part of web application management.
With reference to the toolkit we purchased, may we know what is the most similar document that we can use as a reference.
The current process we have as follows:
1. Information Security Manager conducts the web application vulnerability assessment on all public facing websites.
2. The business owner(s) who owns the websites may nominate the web masters who will maintain and manage the updates/upgrades and remediation of all application related issues.
3. Vulnerability scan report will be given to the Bu(s) and web masters (developers) by Information Security Manager.
4. Vulnerabilities will be addressed by web masters (developers) with reference to the Detailed Scan Report.
5. Re-scanning of the website will be conducted to check and verify mitigation made.
The most similar documents to be used are the documents for risk assessment and treatment and for the risk treatment plan. You can develop the process of web application vulnerability assessment as a subprocess of ISO 27001 Risk assessment (in the Methodology document).
The documents for risk assessment and treatment can be found in the folder 05 Risk Assessment and Risk Treatment.
The document for risk treatment plan can be found in the folder 07 Implementation Plan.