1. The analysis of technical vulnerabilities of information assets can be done by the own organization or should they contract with an external provider specialized in security?
ISO 27001 does not prescribe who should perform the assessment of technical vulnerabilities, so organizations are free to choose the approach that best fits their needs.
2. The company has bought an appliance for the analysis of technical vulnerabilities of digital assets, the device will be managed by the systems area staff, and could this generate a non-compliance in the event of a third-party audit?
Provided that the staff managing the technical vulnerabilities’ appliance devices do not own the digital assets being assessed, there will be no problem regarding compliance with ISO 27001.
For example, systems’ owners cannot run the technical vulnerabilities' appliance over the systems they manage.
This is so to provide assurance of independent evaluation.
3. What are the recommendations for the management of vulnerability analysis and tests of intrusion to digital assets?
The main recommendations for vulnerability management take into account:
- Definition of an asset inventory, so you have the knowledge about what you need to protect
- Definition of roles and responsibilities, so it is clear what needs to be done by whom
- Definition of reference sources (e.g., suppliers, manufacturers, expert groups, etc.), so you can have trustful information about vulnerabilities
- Handle identified vulnerabilities in a systematic way
- Make records of performed analysis
Regarding penetration tests, they should be performed considering at least these phases:
- Planning: identification of the information systems and targets involved
- Information gathering: collect all available information possible about the targets
- Threat modeling: develop strategies to attack the systems
- Vulnerability analysis: identify all vulnerabilities related to the target
- Exploitation: effectively apply devised threats against potential vulnerabilities to try to breach the targets
- Post-exploitation: Check what can be done once the target is breached (e.g., download files, access other systems, etc.)
- Reporting: Document and present findings and recommendations
For further information, see: