Expert Advice Community

Guest

Patch management

  Quote
Guest
Guest user Created:   May 18, 2018 Last commented:   May 18, 2018

Patch management

  1. I would like to know where does patch management fit into the ISO27001. If for example a new critical security update was released by a vendor or a vulnerability management system discovered a missing critical update on an asset would I carry out a 1. Risk assessment against the asset to determine the risk, then do the treatment options and treatment plan or 2. Would missing patches come under defect management and go through some type of SDLC testing and change management before been applied and only do a risk assessment if the patch couldn't be applied because of either a system stability issue or because the patch won't be applied within the time-frame required in a patch management policy?
  2. If a risk assessment should be carried out, does this also mean that after the treatment options are decided for every patch that requires a treatment option the Statement of Applicability must be updated with whatever potential control?
  3. If I had to carry out a risk assessment for every patch that came out it would create so much overhead that it just wouldn't get done. Would have you found as best practice for this?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 18, 2018

I would like to know where does patch management fit into the ISO27001. If for example a new critical security update was released by a vendor or a vulnerability management system discovered a missing critical update on an asset would I carry out a
1. Risk assessment against the asset to determine the risk, then do the treatment options and treatment plan
or
2. Would missing patches come under defect management and go through some type of SDLC testing and change management before been applied and only do a risk assessment if the patch couldn't be applied because of either a system stability issue or because the patch won't be applied within the time-frame required in a patch management policy?

The handling of a new critical security update that was released/discovered should go through change management (control A.12.1.2), and according to this control planning and testing changes should come before the assessment of the potential impacts of such changes (first you have to understand the change and verify if it is feasible, in a non-operational environment, so you can asses the involved risks). The scenarios you mentioned are only part of the possible alternatives (you can identify that the change is possible, but involves risks that can be managed by means of a roll back procedure for example).

If a risk assessment should be carried out, does this also mean that after the treatment options are decided for every patch that requires a treatment option the Statement of Applicability must be updated with whatever potential control?

If during the risk assessment you identify the need for a new control, then the Statement of applicability should be updated accordingly.

If I had to carry out a risk assessment for every patch that came out it would create so much overhead that it just wouldn't get done. Would have you found as best practice for this?

When defining your change management process, you can define which kind of patch and situations would require the performing of risks assessments, so you can balance the effort to perform risk assessments and the level of risk involving the change. For example, you can define that patches that do not require high level of skill, or are applied to non critical system do not require a risk assessment.

These articles will provide you further explanation about change management:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

These materials will also help you regarding change management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

May 17, 2018

May 18, 2018

Suggested Topics