ISO/IEC 29147

ISO/IEC 29147 is an international standard that provides guidelines for vulnerability disclosure processes. It sets out recommendations for how organizations should inform vendors of potential vulnerabilities in their products and how vendors should process and manage these disclosures.

Definition and purpose

The purpose of ISO/IEC 29147 is to establish a clear protocol for responsible vulnerability disclosure. It aims to ensure that when security vulnerabilities are found, they are addressed in a systematic and standardized manner, minimizing potential harm and maximizing the effectiveness of the remediation process.

Governing Body

The standard is developed and maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Last updated

ISO/IEC 29147 was initially published in 2014. It was withdrawn and updated in 2018. 

Applies to

ISO/IEC 29147 applies to all types of organizations, regardless of their size or the nature of their business. It is particularly relevant to software developers, cybersecurity professionals, IT departments, and any organization that develops or uses software and IT products.

Controls and requirements

ISO/IEC 29147 includes guidelines on several key aspects of the vulnerability disclosure process, such as:

  • Receiving and Handling Vulnerability Reports: Processes for how organizations should receive and handle reports of vulnerabilities.
  • Information Disclosure: Guidelines on when and how information about vulnerabilities should be disclosed to the public.
  • Feedback and Communication: Ensuring effective communication with the individual or entity reporting the vulnerability.
  • Confidentiality Aspects: Maintaining confidentiality of the information related to vulnerabilities.
  • Disclosure Timing: Timelines for acknowledging, investigating, and disclosing vulnerabilities.

Please refer to the official ISO/IEC 29147:2018 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits typically involve reviewing an organization's vulnerability disclosure processes and policies to ensure compliance with ISO/IEC 29147. The frequency of audits may vary depending on the organization's size, complexity, and the nature of its IT infrastructure. It may also be influenced by the frequency of vulnerability discoveries.

The duration of an audit depends on the organization's size, the complexity of its IT infrastructure, and the scope of the audit.

Get compliant using Secureframe Custom Frameworks