What is ISO 27002?

The ISO 27002 standard is a collection of information security guidelines that are intended to help an organization implement, maintain, and improve its information security management. ISO 27002 provides hundreds of potential controls and control mechanisms that are designed to be implemented with guidance provided within ISO 27001.
Many organizations use ISO 27001 and 27002 in conjunction as a framework for showing compliance with regulations. As such the companies utilize various products to control the compliance with the standard.

IoT device security controls by the ISO 27002 standard

The standard includes the following two general control categories:

  • 8.1.1 Inventory of assets:
  • Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. The control clearly mentions that “the asset inventory should be accurate, up to date, consistent and aligned with other inventories.”.
  • 12.6.1 Management of technical vulnerabilities
  • Information about technical vulnerabilities of information systems being used must be obtained in a timely fashion, the organizations exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
The standard clearly mentioned that “A current and complete inventory of assets (mentioned in Clause 8) is a prerequisite for effective technical vulnerability management. Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within the organization responsible for the software.”

Challenges with the current asset and vulnerability management tools

There are various IoT device assets in enterprise networks that are associated with information and information processing facilities such as surveillance cameras, switches, IP phones, video conferencing systems, etc which according to the standard need to be accurately inventoried and their vulnerabilities must be obtained and managed in a timely fashion. The accurate way of doing this task for IoT devices is by correctly identifying the manufacturer, model and firmware version and then accurately mapping the CVEs to the vulnerable firmware versions installed on the devices. This also facilitates the detection of outdated assets or discontinued assets. However, the current widely used asset and vulnerability management solutions have very limited coverage for IoT devices. There are a very limited number of IoT devices which can be detected at the granularity of the firmware version by those solutions. As such the correct identification of vulnerabilities without detecting the firmware version is not possible. They also do not provide any information regarding the outdated devices or devices that reached their end-of-life.

How can Firmalyzer help?

Firmalyzer provides an IoT device discovery and vulnerability assessment solution (IoTVAS) that brings in-depth visibility into IoT devices and their vulnerabilities. The solution can successfully check the controls 8.1.1 and 12.6.1 by:

  • Detecting devices maker, model and firmware version
  • Accurately detecting device and firmware CVEs
  • providing in-depth firmware level vulnerabilities and associated risk scores
  • detecting discontinued devices
  • detecting devices with outdated firmware
The solution is offered as SaaS and API. The IoTVAS API can be easily integrated with existing network and vulnerability scanning tools.
IoTVAS vulnerability detection engine is specifically built for enterprise IoT/connected device security and is based on our global-scale proprietary firmware vulnerability knowledgebase that is constantly growing and evolving automatically as our analysis engine automatically collects and processes new device firmware binaries on behalf of device manufacturers and consumers. Through this knowledgebase, our vulnerability detection engine gains in-depth visibility into the applications running on a target IoT/connected device, their vulnerabilities and associated risks. IoTVAS also keeps tracking vulnerable devices as they change IP addresses or move around the network.

Try IoTVAS API for free

Try for free
IoTVAS API device discovery and vulnerability assessment

Get in touch and see a live demonstration of IoTVAS SaaS

Request a demo
IoTVAS vulnerability management dashboard