Can BigFix be used for ISO 27001 compliance?

One of my customers asked if bigfix can show vulnerabilities for ISO 27001.
Is there any bigfix checklist for this purpose?

1 Like

To the best of my knowledge ISO 27001 does not maintain a list of vulnerabilities. However BigFix is ideal for demonstrating compliance for a process of identifying them, and assessing their impact in your company. Clearly you can use BigFix to accompliash the following using little effort or FTE hours. BigFix compliance makes all of this even easier.

Basically, ISO 27001 control A.12.6.1 locks onto three targets:

Timely identification of vulnerabilities. The sooner you discover a vulnerability, the more time you will have to correct it, or at least to warn the manufacturer about the situation, decreasing the opportunity window a potential attacker may have.

Assessment of organization’s exposure to a vulnerability. Not all organizations are affected the same way by a certain vulnerability, or set of vulnerabilities. You have to do a risk assessment to identify and prioritize those vulnerabilities that are more critical to your assets and business.

Proper measures considering the associated risks. Once you have identified the most critical vulnerabilities, you need to think about the actions and allocation of the resources you have to deal with them – that’s your risk treatment plan. The most prudent form is by considering the risk level associated with them.
ISO 27002 supporting orientations for vulnerability management

As supporting actions to achieve these targets, ISO 27002, which provides best practices to consider while implementing security controls like A.12.6.1, suggests:

Make an asset inventory. Effective vulnerability management depends on your knowledge of relevant information about your information assets, like software manufacturer, software version, where the software is installed, and who is responsible for each piece of software.

Define responsibilities. Vulnerability management requires many different activities to be done (e.g., monitoring, risk assessment, correction, etc.), so it is convenient to clearly define who is doing what to ensure suitable tracking of assets.

Define reference sources. Manufacturer sites, specialized forums, and special interest groups should be in your list of sources of information to be consulted about news related to vulnerabilities and correction measures. For more information about the role of special interest groups in an ISMS, please see the article Special interest groups: A useful resource to support your ISMS.

Deal with vulnerabilities through defined procedures. Independent of the urgency to deal with a vulnerability, it is important to treat it in a structured manner. Change management or incident response procedures should be considered to treat vulnerabilities, because they can guide you on what to do considering prioritization, time response, response escalation, etc.

Make records for post-event analysis (and do the analysis). Maintaining incident records of what happened and what procedures were done is vital to learn from the incident and prevent further events, or at least to minimize their impacts, as well as to improve the vulnerability management process itself. In addition, be sure to conduct periodic evaluations, so you can implement improvements, or make corrections, as soon as possible.

1 Like