Information technology - Security techniques - Vulnerability handling processes (ISO/IEC 30111:2019)

This document provides requirements and recommendations for how to process and remediate reported potential vulnerabilities in a product or service.
This document is applicable to vendors involved in handling vulnerabilities.

Informationstechnik - IT-Sicherheitsverfahren - Prozesse für die Behandlung von Schwachstellen (ISO/IEC 30111:2019)

Technologies de l'information - Techniques de sécurité - Processus de traitement de la vulnérabilité (ISO/IEC 30111:2019)

Informacijska tehnologija - Varnostne tehnike - Procesi ravnanja z ranljivostjo (ISO/IEC 30111:2019)

General Information

Status
Published
Public Enquiry End Date
31-Mar-2020
Publication Date
28-Jul-2020
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
18-Jun-2020
Due Date
23-Aug-2020
Completion Date
29-Jul-2020

Buy Standard

Standard
EN ISO/IEC 30111:2020
English language
21 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day
Draft
prEN ISO/IEC 30111:2020
English language
18 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
SIST EN ISO/IEC 30111:2020
01-september-2020
Informacijska tehnologija - Varnostne tehnike - Procesi ravnanja z ranljivostjo
(ISO/IEC 30111:2019)
Information technology - Security techniques - Vulnerability handling processes (ISO/IEC
30111:2019)
Informationstechnik - IT-Sicherheitsverfahren - Prozesse für die Behandlung von
Schwachstellen (ISO/IEC 30111:2019)
Technologies de l'information - Techniques de sécurité - Processus de traitement de la
vulnérabilité (ISO/IEC 30111:2019)
Ta slovenski standard je istoveten z: EN ISO/IEC 30111:2020
ICS:
35.030 Informacijska varnost IT Security
SIST EN ISO/IEC 30111:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN ISO/IEC 30111:2020

---------------------- Page: 2 ----------------------
SIST EN ISO/IEC 30111:2020


EUROPEAN STANDARD
EN ISO/IEC 30111

NORME EUROPÉENNE

EUROPÄISCHE NORM
May 2020
ICS 35.030

English version

Information technology - Security techniques -
Vulnerability handling processes (ISO/IEC 30111:2019)
Technologies de l'information - Techniques de sécurité Informationstechnik - IT-Sicherheitsverfahren -
- Processus de traitement de la vulnérabilité (ISO/IEC Prozesse für die Behandlung von Schwachstellen
30111:2019) (ISO/IEC 30111:2019)
This European Standard was approved by CEN on 3 May 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.






















CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 30111:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.

---------------------- Page: 3 ----------------------
SIST EN ISO/IEC 30111:2020
EN ISO/IEC 30111:2020 (E)
Contents Page
European foreword . 3

2

---------------------- Page: 4 ----------------------
SIST EN ISO/IEC 30111:2020
EN ISO/IEC 30111:2020 (E)
European foreword
The text of ISO/IEC 30111:2019 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
EN ISO/IEC 30111:2020 by Technical Committee CEN/CLC/JTC 13 “Cybersecurity and Data Protection”
the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by November 2020, and conflicting national standards
shall be withdrawn at the latest by November 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 30111:2019 has been approved by CEN as EN ISO/IEC 30111:2020 without any
modification.

3

---------------------- Page: 5 ----------------------
SIST EN ISO/IEC 30111:2020

---------------------- Page: 6 ----------------------
SIST EN ISO/IEC 30111:2020
INTERNATIONAL ISO/IEC
STANDARD 30111
Second edition
2019-10
Information technology — Security
techniques — Vulnerability handling
processes
Technologies de l'information — Techniques de sécurité — Processus
de traitement de la vulnérabilité
Reference number
ISO/IEC 30111:2019(E)
©
ISO/IEC 2019

---------------------- Page: 7 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 8 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 1
5 Relationships to other International Standards. 1
5.1 ISO/IEC 29147 . 1
5.2 ISO/IEC 27034 (all parts) . 2
5.3 ISO/IEC 27036-3 . 2
5.4 ISO/IEC 15408-3 . 3
6 Policy and organizational framework . 3
6.1 General . 3
6.2 Leadership . 3
6.2.1 Leadership and commitment . 3
6.2.2 Policy . 3
6.2.3 Organizational roles, responsibilities, and authorities . 4
6.3 Vulnerability handling policy development . 4
6.4 Organizational framework development . 4
6.5 Vendor CSIRT or PSIRT . 5
6.5.1 General. 5
6.5.2 PSIRT mission . 5
6.5.3 PSIRT responsibilities . 5
6.5.4 Staff capabilities . 6
6.6 Responsibilities of the product business division . 6
6.7 Responsibilities of customer support and public relations. 7
6.8 Legal consultation . 7
7 Vulnerability handling process . 7
7.1 Vulnerability handling phases . 7
7.1.1 General. 7
7.1.2 Preparation . 8
7.1.3 Receipt . 8
7.1.4 Verification . 9
7.1.5 Remediation development .10
7.1.6 Release .10
7.1.7 Post-release .10
7.2 Process monitoring .11
7.3 Confidentiality of vulnerability information .11
8 Supply chain considerations .11
Bibliography .13
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 9 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This second edition cancels and replaces the first edition (ISO/IEC 30111:2013), which has been
technically revised. The main changes compared to the previous edition are as follows:
— a number of normative provisions have been revised or added (summarized in Annex A);
— organizational and editorial changes have been made for clarity and harmonization with
ISO/IEC 29147:2018.
This document is intended to be used with ISO/IEC 29147.
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 10 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

Introduction
This document describes processes for vendors to handle reports of potential vulnerabilities in
products and services.
The audience for this document includes developers, vendors, evaluators, and users of information
technology products and services. The following audiences can use this document:
— developers and vendors, when responding to actual or potential vulnerability reports;
— evaluators, when assessing the security assurance afforded by vendors’ and developers’ vulnerability
handling processes; and
— users, to express procurement requirements to developers, vendors and integrators.
This document is integrated with ISO/IEC 29147 at the point of receiving potential vulnerability reports
and at the point of distributing vulnerability remediation information (see 5.1).
Relationships to other standards are noted in Clause 5.
© ISO/IEC 2019 – All rights reserved v

---------------------- Page: 11 ----------------------
SIST EN ISO/IEC 30111:2020

---------------------- Page: 12 ----------------------
SIST EN ISO/IEC 30111:2020
INTERNATIONAL STANDARD ISO/IEC 30111:2019(E)
Information technology — Security techniques —
Vulnerability handling processes
1 Scope
This document provides requirements and recommendations for how to process and remediate
reported potential vulnerabilities in a product or service.
This document is applicable to vendors involved in handling vulnerabilities.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 29147:2018, Information technology — Security techniques — Vulnerability disclosure
3 Terms and definitions
For the purposes of this document, terms and definitions given in ISO/IEC 27000 and ISO/IEC 29147 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
4 Abbreviated terms
The following abbreviated terms are used in this document.
CSIRT Computer Security Incident Response Team
PSIRT Product Security Incident Response Team
5 Relationships to other International Standards
5.1 ISO/IEC 29147
ISO/IEC 29147 shall be used in conjunction with this document. The relationship between the two is
illustrated in Figure 1.
This document provides guidelines for vendors on how to process and remediate potential vulnerability
information reported by internal or external individuals or organizations.
ISO/IEC 29147 provides guidelines for vendors to include in their normal business processes when
receiving reports about potential vulnerabilities from external individuals or organizations and when
distributing vulnerability remediation information to affected users.
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 13 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

While this document deals with the investigation, triage, and remediation of internally or externally
reported vulnerabilities, ISO/IEC 29147 deals with the interface between vendors and those who find
and report potential vulnerabilities.
Figure 1 — Relationship between ISO/IEC 29147 and ISO/IEC 30111
5.2 ISO/IEC 27034 (all parts)
Application security seeks to reduce the creation of application vulnerabilities (see ISO/IEC 27034-1:2011,
[1]
6.5.2 ). Application security techniques can also be useful for remediating reported vulnerabilities.
5.3 ISO/IEC 27036-3
Effective vulnerability handling processes require thorough understanding of ICT supply chain security
[2]
as described in ISO/IEC 27036-3:2013, 5.4 a), 5.8 i), 6.1.1 a) 2) and 6.3.4 .
2 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 14 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

5.4 ISO/IEC 15408-3
[3]
This document takes into consideration the relevant elements of ISO/IEC 15408-3:2008, 13.5 .
6 Policy and organizational framework
6.1 General
Clause 6 describes the organizational elements that vendors should consider in their vulnerability
handling processes. Vendors should create a vulnerability handling process in accordance with this
document in order to prepare for investigating and remediating potential vulnerabilities. The creation
of a vulnerability handling process is a task that is performed by a vendor and should be periodically
assessed to ensure that the process performs as expected and to support process improvements.
Vendors should document their vulnerability handling processes in order to ensure that they are
repeatable. The documentation should describe the procedures and methods used to track all reported
vulnerabilities.
[1]
See ISO/IEC 27034 (all parts) for information on how identification of the root cause of a vulnerability,
which is a step in the process of vulnerability handling, can help improve secure software development
lifecycles and result in an outcome of more secure product development.
6.2 Leadership
6.2.1 Leadership and commitment
Top management should demonstrate leadership and commitment with respect to vulnerability
handling by:
a) ensuring the policy and the objectives of vulnerability handling are established and are compatible
with the strategic direction of the organization;
b) ensuring the integration of the vulnerability handling into the organization’s processes;
c) ensuring that the resources needed for the vulnerability handling are available;
d) communicating the importance of effective vulnerability handling;
e) ensuring that the vulnerability handling process achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the vulnerability handling
process;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
6.2.2 Policy
Top management should establish vulnerability handling policy that:
a) is appropriate to the purpose of the organization;
b) includes a best-effort commitment to satisfy user’s requirements related to its product or online
service security; and
c) includes a commitment to continual improvement of the vulnerability handling process.
More information about vulnerability handling policy is provided in 6.3.
© ISO/IEC 2019 – All rights reserved 3

---------------------- Page: 15 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

6.2.3 Organizational roles, responsibilities, and authorities
Top management should ensure that the responsibilities and authorities for roles relevant to
vulnerability handling are assigned and communicated.
Top management should assign the responsibility and authority for:
a) ensuring that the vulnerability handling process conforms to the requirements of this document; and
b) reporting on the performance of the vulnerability handling to top management.
6.3 Vulnerability handling policy development
A vendor shall develop and maintain an internal vulnerability handling policy to define and clarify
its intentions for investigating and remediating vulnerabilities as part of a vulnerability handling
process. This policy should be compatible with the external vulnerability disclosure policy required by
ISO/IEC 29147.
The internal vulnerability handling the policy is intended for the vendor’s staff and defines who is
responsible in each stage of the vulnerability handling process and how they should handle reports
about potential vulnerabilities. It should include the following items:
a) basic guidance, principles, and responsibilities for handling potential vulnerabilities in products or
services;
b) a list of departments and roles responsible for handling potential vulnerabilities;
c) safeguards to prevent premature disclosure of information about potential vulnerabilities before
they are fixed; and
d) a target schedule for remediation development.
The audience for the external vulnerability disclosure policy is internal and external stakeholders,
including reporters who wish to report potential vulnerabilities, and users of the vendor’s products
or services. This policy informs the audience of how the vendor is willing to interact with them when a
potential vulnerability is found in the vendor’s product or services. Guidance, details and examples of
public vulnerability disclosure policies are included in ISO/IEC 29147:2018, Clause 9 and Annex A.
6.4 Organizational framework development
Handling vulnerabilities has several additional aspects than just engineering and technology (for
example, customer service and public relations). An organizational framework should be designed,
recognized, and supported by the stakeholder divisions of the vendor responsible for each area.
An organization should have a role or capability that is responsible for and has authority to make
decisions on vulnerability handling, preferably at a management level. This role or capability should
understand the responsibility toward the vendor’s users, the internal processes, and the organizational
framework for vulnerability handling.
An organization should have a role or capability that is a point of contact for handling potential
vulnerabilities. This point of contact should be identified for each division or department within a
vendor that provides products or services to customers.
An organization should establish a point of contact for external parties to reach and communicate with
about vulnerabilities. The point of contact can be part of a vendor computer security incident response
team (CSIRT) or a product security incident response team (PSIRT). Further details are discussed in 6.5.
Since customers and members of the media can contact the vendor with questions or requests for
additional information after a vulnerability is disclosed, divisions responsible for customer and public
relations should be prepared so that they can respond.
4 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 16 ----------------------
SIST EN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

6.5 Vendor CSIRT or PSIRT
6.5.1 General
Subclause 6.5 describes the organizational role and responsibilities of a CSIRT or PSIRT. For clarity,
PSIRT will be used to refer to this role throughout the rest of this document. A PSIRT is responsible for
coordinating external vulnerability reports. In some cases, a PSIRT also coordinates the handling of
vulnerabilities that were reported by internal teams within the vendor.
6.5.2 PSIRT mission
A PSIRT plays a central role in a vendor’s vulnerability handling processes. In addition to coordinating
vulnerability handling internally, the PSIRT acts as a single point of contact for external stakeholders
such as vulnerability reporters, coordinators, and other vendors.
Vendors should include all of their products and services in their vulnerability disclosure and
vulnerability handling processes. A PSIRT should be implemented centrally within a vendor. However,
a PSIRT may be implemented within a business unit, as long as all products and services are covered by
the vendor’s vulnerability handling processes.
6.5.3 PSIRT responsibilities
6.5.3.1 General
Subclause 6.5.3 describes the responsibilities of vulnerability response teams. This is an unordered list.
[4]
Example PSIRT services and functions can be found in the FIRST PSIRT Services Framework .
6.5.3.2 Public vulnerability monitoring
A PSIRT should monitor known public sources of vulnerability information for disclosures or discussion
that affect the vendor’s products or services. Sources can include mailing lists, social media, discussion
forums, or vulnerability databases.
6.5.3.3 Communication with external reporters
A PSIRT should develop a single entry-point for receiving potential vulnerability reports from reporters
or coordinators, typically either an e-mail address or a form on a web page.
A PSIRT is responsible for maintaining communication with reporters. It is important to understand
the interests and motivations of reporters and to communicate in a timely manner.
A PSIRT may choose to handle security vulnerabilities from customers with a valid support contract
through their customer support division rather than receiving them directly. In that case, appropriate
processes and training should be provided to the customer support division. The customer support
division should partner closely with the PSIRT to ensure that the vulnerability is appropriately handled
and responded to.
For more information about communication with external vulnerability reporter
...

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 30111:2020
01-marec-2020
Informacijska tehnologija - Varnostne tehnike - Procesi ravnanja z ranljivostjo
(ISO/IEC 30111:2019)
Information technology - Security techniques - Vulnerability handling processes (ISO/IEC
30111:2019)
Informationstechnik - IT-Sicherheitsverfahren - Prozesse für die Behandlung von
Schwachstellen (ISO/IEC 30111:2019)
Technologies de l'information - Techniques de sécurité - Processus de traitement de la
vulnérabilité (ISO/IEC 30111:2019)
Ta slovenski standard je istoveten z: prEN ISO/IEC 30111
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 30111:2020 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 30111:2020

---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 30111:2020
INTERNATIONAL ISO/IEC
STANDARD 30111
Second edition
2019-10
Information technology — Security
techniques — Vulnerability handling
processes
Technologies de l'information — Techniques de sécurité — Processus
de traitement de la vulnérabilité
Reference number
ISO/IEC 30111:2019(E)
©
ISO/IEC 2019

---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2019
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2019 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 1
5 Relationships to other International Standards. 1
5.1 ISO/IEC 29147 . 1
5.2 ISO/IEC 27034 (all parts) . 2
5.3 ISO/IEC 27036-3 . 2
5.4 ISO/IEC 15408-3 . 3
6 Policy and organizational framework . 3
6.1 General . 3
6.2 Leadership . 3
6.2.1 Leadership and commitment . 3
6.2.2 Policy . 3
6.2.3 Organizational roles, responsibilities, and authorities . 4
6.3 Vulnerability handling policy development . 4
6.4 Organizational framework development . 4
6.5 Vendor CSIRT or PSIRT . 5
6.5.1 General. 5
6.5.2 PSIRT mission . 5
6.5.3 PSIRT responsibilities . 5
6.5.4 Staff capabilities . 6
6.6 Responsibilities of the product business division . 6
6.7 Responsibilities of customer support and public relations. 7
6.8 Legal consultation . 7
7 Vulnerability handling process . 7
7.1 Vulnerability handling phases . 7
7.1.1 General. 7
7.1.2 Preparation . 8
7.1.3 Receipt . 8
7.1.4 Verification . 9
7.1.5 Remediation development .10
7.1.6 Release .10
7.1.7 Post-release .10
7.2 Process monitoring .11
7.3 Confidentiality of vulnerability information .11
8 Supply chain considerations .11
Bibliography .13
© ISO/IEC 2019 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that
are members of ISO or IEC participate in the development of International Standards through
technical committees established by the respective organization to deal with particular fields of
technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other
international organizations, governmental and non-governmental, in liaison with ISO and IEC, also
take part in the work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents) or the IEC
list of patent declarations received (see http: //patents .iec .ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
This second edition cancels and replaces the first edition (ISO/IEC 30111:2013), which has been
technically revised. The main changes compared to the previous edition are as follows:
— a number of normative provisions have been revised or added (summarized in Annex A);
— organizational and editorial changes have been made for clarity and harmonization with
ISO/IEC 29147:2018.
This document is intended to be used with ISO/IEC 29147.
iv © ISO/IEC 2019 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

Introduction
This document describes processes for vendors to handle reports of potential vulnerabilities in
products and services.
The audience for this document includes developers, vendors, evaluators, and users of information
technology products and services. The following audiences can use this document:
— developers and vendors, when responding to actual or potential vulnerability reports;
— evaluators, when assessing the security assurance afforded by vendors’ and developers’ vulnerability
handling processes; and
— users, to express procurement requirements to developers, vendors and integrators.
This document is integrated with ISO/IEC 29147 at the point of receiving potential vulnerability reports
and at the point of distributing vulnerability remediation information (see 5.1).
Relationships to other standards are noted in Clause 5.
© ISO/IEC 2019 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 30111:2020

---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 30111:2020
INTERNATIONAL STANDARD ISO/IEC 30111:2019(E)
Information technology — Security techniques —
Vulnerability handling processes
1 Scope
This document provides requirements and recommendations for how to process and remediate
reported potential vulnerabilities in a product or service.
This document is applicable to vendors involved in handling vulnerabilities.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
ISO/IEC 29147:2018, Information technology — Security techniques — Vulnerability disclosure
3 Terms and definitions
For the purposes of this document, terms and definitions given in ISO/IEC 27000 and ISO/IEC 29147 apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
4 Abbreviated terms
The following abbreviated terms are used in this document.
CSIRT Computer Security Incident Response Team
PSIRT Product Security Incident Response Team
5 Relationships to other International Standards
5.1 ISO/IEC 29147
ISO/IEC 29147 shall be used in conjunction with this document. The relationship between the two is
illustrated in Figure 1.
This document provides guidelines for vendors on how to process and remediate potential vulnerability
information reported by internal or external individuals or organizations.
ISO/IEC 29147 provides guidelines for vendors to include in their normal business processes when
receiving reports about potential vulnerabilities from external individuals or organizations and when
distributing vulnerability remediation information to affected users.
© ISO/IEC 2019 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

While this document deals with the investigation, triage, and remediation of internally or externally
reported vulnerabilities, ISO/IEC 29147 deals with the interface between vendors and those who find
and report potential vulnerabilities.
Figure 1 — Relationship between ISO/IEC 29147 and ISO/IEC 30111
5.2 ISO/IEC 27034 (all parts)
Application security seeks to reduce the creation of application vulnerabilities (see ISO/IEC 27034-1:2011,
[1]
6.5.2 ). Application security techniques can also be useful for remediating reported vulnerabilities.
5.3 ISO/IEC 27036-3
Effective vulnerability handling processes require thorough understanding of ICT supply chain security
[2]
as described in ISO/IEC 27036-3:2013, 5.4 a), 5.8 i), 6.1.1 a) 2) and 6.3.4 .
2 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

5.4 ISO/IEC 15408-3
[3]
This document takes into consideration the relevant elements of ISO/IEC 15408-3:2008, 13.5 .
6 Policy and organizational framework
6.1 General
Clause 6 describes the organizational elements that vendors should consider in their vulnerability
handling processes. Vendors should create a vulnerability handling process in accordance with this
document in order to prepare for investigating and remediating potential vulnerabilities. The creation
of a vulnerability handling process is a task that is performed by a vendor and should be periodically
assessed to ensure that the process performs as expected and to support process improvements.
Vendors should document their vulnerability handling processes in order to ensure that they are
repeatable. The documentation should describe the procedures and methods used to track all reported
vulnerabilities.
[1]
See ISO/IEC 27034 (all parts) for information on how identification of the root cause of a vulnerability,
which is a step in the process of vulnerability handling, can help improve secure software development
lifecycles and result in an outcome of more secure product development.
6.2 Leadership
6.2.1 Leadership and commitment
Top management should demonstrate leadership and commitment with respect to vulnerability
handling by:
a) ensuring the policy and the objectives of vulnerability handling are established and are compatible
with the strategic direction of the organization;
b) ensuring the integration of the vulnerability handling into the organization’s processes;
c) ensuring that the resources needed for the vulnerability handling are available;
d) communicating the importance of effective vulnerability handling;
e) ensuring that the vulnerability handling process achieves its intended outcome(s);
f) directing and supporting persons to contribute to the effectiveness of the vulnerability handling
process;
g) promoting continual improvement; and
h) supporting other relevant management roles to demonstrate their leadership as it applies to their
areas of responsibility.
6.2.2 Policy
Top management should establish vulnerability handling policy that:
a) is appropriate to the purpose of the organization;
b) includes a best-effort commitment to satisfy user’s requirements related to its product or online
service security; and
c) includes a commitment to continual improvement of the vulnerability handling process.
More information about vulnerability handling policy is provided in 6.3.
© ISO/IEC 2019 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

6.2.3 Organizational roles, responsibilities, and authorities
Top management should ensure that the responsibilities and authorities for roles relevant to
vulnerability handling are assigned and communicated.
Top management should assign the responsibility and authority for:
a) ensuring that the vulnerability handling process conforms to the requirements of this document; and
b) reporting on the performance of the vulnerability handling to top management.
6.3 Vulnerability handling policy development
A vendor shall develop and maintain an internal vulnerability handling policy to define and clarify
its intentions for investigating and remediating vulnerabilities as part of a vulnerability handling
process. This policy should be compatible with the external vulnerability disclosure policy required by
ISO/IEC 29147.
The internal vulnerability handling the policy is intended for the vendor’s staff and defines who is
responsible in each stage of the vulnerability handling process and how they should handle reports
about potential vulnerabilities. It should include the following items:
a) basic guidance, principles, and responsibilities for handling potential vulnerabilities in products or
services;
b) a list of departments and roles responsible for handling potential vulnerabilities;
c) safeguards to prevent premature disclosure of information about potential vulnerabilities before
they are fixed; and
d) a target schedule for remediation development.
The audience for the external vulnerability disclosure policy is internal and external stakeholders,
including reporters who wish to report potential vulnerabilities, and users of the vendor’s products
or services. This policy informs the audience of how the vendor is willing to interact with them when a
potential vulnerability is found in the vendor’s product or services. Guidance, details and examples of
public vulnerability disclosure policies are included in ISO/IEC 29147:2018, Clause 9 and Annex A.
6.4 Organizational framework development
Handling vulnerabilities has several additional aspects than just engineering and technology (for
example, customer service and public relations). An organizational framework should be designed,
recognized, and supported by the stakeholder divisions of the vendor responsible for each area.
An organization should have a role or capability that is responsible for and has authority to make
decisions on vulnerability handling, preferably at a management level. This role or capability should
understand the responsibility toward the vendor’s users, the internal processes, and the organizational
framework for vulnerability handling.
An organization should have a role or capability that is a point of contact for handling potential
vulnerabilities. This point of contact should be identified for each division or department within a
vendor that provides products or services to customers.
An organization should establish a point of contact for external parties to reach and communicate with
about vulnerabilities. The point of contact can be part of a vendor computer security incident response
team (CSIRT) or a product security incident response team (PSIRT). Further details are discussed in 6.5.
Since customers and members of the media can contact the vendor with questions or requests for
additional information after a vulnerability is disclosed, divisions responsible for customer and public
relations should be prepared so that they can respond.
4 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

6.5 Vendor CSIRT or PSIRT
6.5.1 General
Subclause 6.5 describes the organizational role and responsibilities of a CSIRT or PSIRT. For clarity,
PSIRT will be used to refer to this role throughout the rest of this document. A PSIRT is responsible for
coordinating external vulnerability reports. In some cases, a PSIRT also coordinates the handling of
vulnerabilities that were reported by internal teams within the vendor.
6.5.2 PSIRT mission
A PSIRT plays a central role in a vendor’s vulnerability handling processes. In addition to coordinating
vulnerability handling internally, the PSIRT acts as a single point of contact for external stakeholders
such as vulnerability reporters, coordinators, and other vendors.
Vendors should include all of their products and services in their vulnerability disclosure and
vulnerability handling processes. A PSIRT should be implemented centrally within a vendor. However,
a PSIRT may be implemented within a business unit, as long as all products and services are covered by
the vendor’s vulnerability handling processes.
6.5.3 PSIRT responsibilities
6.5.3.1 General
Subclause 6.5.3 describes the responsibilities of vulnerability response teams. This is an unordered list.
[4]
Example PSIRT services and functions can be found in the FIRST PSIRT Services Framework .
6.5.3.2 Public vulnerability monitoring
A PSIRT should monitor known public sources of vulnerability information for disclosures or discussion
that affect the vendor’s products or services. Sources can include mailing lists, social media, discussion
forums, or vulnerability databases.
6.5.3.3 Communication with external reporters
A PSIRT should develop a single entry-point for receiving potential vulnerability reports from reporters
or coordinators, typically either an e-mail address or a form on a web page.
A PSIRT is responsible for maintaining communication with reporters. It is important to understand
the interests and motivations of reporters and to communicate in a timely manner.
A PSIRT may choose to handle security vulnerabilities from customers with a valid support contract
through their customer support division rather than receiving them directly. In that case, appropriate
processes and training should be provided to the customer support division. The customer support
division should partner closely with the PSIRT to ensure that the vulnerability is appropriately handled
and responded to.
For more information about communication with external vulnerability reporters, see
ISO/IEC 29147:2018, 5.5.4 and Clause 6.
6.5.3.4 Communication within vendor organization
A PSIRT should work with product and services divisions to build a database of contacts for each
product. When a potential vulnerability is reported, the PSIRT should identify the responsible product
business division to dispatch the report to them through the contact person. The information should be
shared confidentially on a need-to-know basis.
© ISO/IEC 2019 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

6.5.3.5 Communication with coordinators or other vendors
Where appropriate, a PSIRT should make arrangements for sharing vulnerability reports with
coordinators or other vendors. They should be conscious of the vulnerability handling policy of the
other party.
For more information, see ISO/IEC 29147:2018, 5.5.5 and Clause 8.
6.5.3.6 Timing of public vulnerability disclosure
A PSIRT should choose an appropriate date for each public vulnerability disclosure and prepare the
advisory with the assistance of the product business division and other major stakeholders, such as
legal, public relations, and external coordinators if applicable. The vulnerability disclosure should align
to when the remediation is available so that users can take the necessary action.
For more information, see ISO/IEC 29147:2018, 5.6.8 and 7.3.
6.5.3.7 Internal vulnerability assessment
A PSIRT may test or coordinate testing of the vendor’s own products or services for vulnerabilities
and other security issues. Any vulnerabilities that are identified should be handled according to the
vendor’s vulnerability handling processes.
6.5.3.8 Inventory and supply chain tracking
A PSIRT should track the vulnerabilities found in all components used in the development of the
vendor’s products and services, including components from other business units or external suppliers.
Vulnerabilities in third-party and shared components can affect the vendor’s products and services.
Vendors should require software component inventory information from their suppliers. Such
[5]
information can be provided as Software identification (SWID) tags defined by ISO/IEC 19770-2 .
For more information, see ISO/IEC 29147:2018, 5.4.6 and 6.4.
6.5.4 Staff capabilities
The staff of a PSIRT should:
a) be able to understand the nature of reported potential vulnerabilities and coordinate with
appropriate parties;
b) understand the confidentiality of vulnerability related information and be well-versed in handling
such information in order not to leak the vulnerability details before remediation development;
c) notify an appropriate product business division to take actions necessary for vulnerability handling
when appropriate.
6.6 Responsibilities of the product business division
A product business division provides customers with products or services that have been developed by
the vendor or implemented and/or commercialized with other vendor’s products or services. They are
an entity responsible for a core part of handling process of vulnerabilities that affect their products or
services.
When potential vulnerabilities are reported to a product business division by the PSIRT, the product
business division should work with the PSIRT to develop remediations. Business divisions should have
a means to escalate an issue to a PSIRT, if an issue is determined to be a vulnerability.
Product security contacts within business divisions should initiate the vulnerability handling process
when they receive notification of potential security vulnerabilities in products or services. This process
6 © ISO/IEC 2019 – All rights reserved

---------------------- Page: 14 ----------------------
oSIST prEN ISO/IEC 30111:2020
ISO/IEC 30111:2019(E)

should include notification of the PSIRT so that any necessary response actions are conducted as per
the vendor’s vulnerability response policies.
6.7 Responsibilities
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.