In the previous part of this article, we focused more on the ISO/IEC 29147 standard. Information technology – Security techniques – Vulnerability disclosure. Let me remind you that this standard applies to suppliers who decide to reveal weaknesses in order to reduce the risk for users of suppliers’ products and services.
The second part, as announced, will concern the ISO 30111 standard. Information technology – Security techniques – Vulnerability handling processes. The ISO 30111: 2019 standard contains requirements and recommendations on how to process and remove reported potential vulnerabilities (gaps) in the security of a product or service. This standard applies to vendors handling vulnerabilities.
The ISO 30111 standard is strongly related to the ISO/IEC 29147 standard, the integration of the standards is taken into account when receiving reports on potential vulnerabilities and when disseminating information on vulnerability remediation.
As we can see from the title of the standard, this document describes the processes that suppliers are to implement in order to handle vulnerabilities and report on potential vulnerabilities in products and services.
ISO/IEC 30111 provides guidance on how to deal with information about potential vulnerabilities reported by individuals or organizations that have identified potential vulnerabilities/vulnerabilities in an online product or service and how to decide on vulnerabilities. The standard consists of 8 chapters:
- Range
- Normative references
- Terms and definitions
- Shortened terms
- Relationship with other international standards
- Policy and organizational framework
- The vulnerability handling process
- Supply Chain Considerations
The recipients of this document are developers, suppliers, evaluators, and users of IT products and services. This document will be helpful for the following groups of recipients: – suppliers and developers, responding to current or potential vulnerability reports; – evaluators, mainly to assess the level of security and to provide mechanisms and processes related to the handling of vulnerabilities by suppliers and developers; – Users to define and communicate procurement requirements to developers, vendors and integrators.
The ISO/IEC 30111 standard specifies processes that will ensure preparation for testing and eliminating potential vulnerabilities. Of course, the processes are to be documented. You may be asked “Why?”. It is very simple – documenting your vulnerability handling procedures helps to ensure their repeatability. Documentation may include: policies, procedures and methods used to track all reported vulnerabilities.
Remember that the vulnerability handling process should not only be implemented, but also periodically assessed in order to improve the capacity-building process and ensure the expected completion of the process.
It is worth saying that the ISO 30111 standard is related not only to the ISO/IEC 29147 standard on vulnerability disclosure, but also:
– with all parts of ISO/IEC 27034 Information technology – Application security,
– ISO/IEC 27036-3 Information technology – Security techniques – Information security in relationships with suppliers – Part 3: Guidelines for the supply chain security of information and communication technology,
– ISO/IEC 15408-3 Information technology – Security techniques – IT security evaluation criteria – Part 3: Security elements.
Sources used:
ISO/IEC 30111: 2019 Information technology – Security techniques – Vulnerability handling processes
ISO/IEC 29147: 2018 Information technology – Security techniques – Vulnerability disclosure