I have a theory about the widespread adoption of the agile methodology. It allows companies to release unfinished products to achieve a quicker launch timeline. The beta testing/QC part is left to the customers. The product is “finished” later through multiple patches. This trend makes the situation more dangerous. Software without bugs and vulnerabilities is a dream. We add insufficient testing out of the necessity to release the software early, and the situation becomes grave about zero-day vulnerabilities.
There is no need to underline how bad zero-day vulnerabilities are. A stark example of such vulnerabilities is the log4shell vulnerability within the Apache log4j library, which allowed the bad actors to exploit any system containing the unpatched library to practically do whatever they wanted to do. The alarming part is that the developers themselves may be unaware of the flaw, and as is the way, the fallout is severe if the bad actors exploit them for an attack. And as software cannot be built without code, there is no guarantee that any type of software will be less vulnerable. Staying updated and maintaining asset inventories is not enough. So, what are the other ways available to us to combat such situations?
Enter the Frameworks
What is the similarity between Batman and a CISO? Both can face (almost) any threat with enough prep time. Implementing ISO frameworks is a crucial part of the prep time. ISO frameworks don’t ensure patching, but they do ensure that the security management systems are proactive, resilient, and risk-aware. In simpler terms, it cannot stop a bullet from hitting, but it does play the part of a Kevlar vest.
Zero-day vulnerabilities are tricky because, by definition, nobody knows about them (or there’s no patch yet). The following are the ISO frameworks that help counter zero-day threats:
ISO/IEC 27001 – Information Security Management System (ISMS)
- Risk management & controls: Users are to identify and assess risks (including unknown threats) and apply layered security controls.
- Patch & change management: Requires documented processes for monitoring vendor advisories and applying updates quickly.
- Incident response plans: Ensures users have playbooks, escalation paths, and trained teams ready to act when a new exploit surfaces.
- Continuous improvement: Helps ensure regular audits and reviews to keep the organizations’ defenses up to date.
ISO/IEC 27002 – Security Controls Guidance
- Provides detailed controls for:
- Hardening systems (least privilege, segmentation, logging)
- Secure configuration baselines
- Malware and vulnerability management
- Monitoring & detection (SIEM, IDS/IPS)
Good hygiene makes zero-day exploitation harder and reduces the blast radius.
ISO/IEC 30111 & 29147 – Vulnerability handling & disclosure
- Define how to receive, assess, and remediate reported flaws.
- Useful if you build software: they formalize patch pipelines and coordinated disclosure.
ISO/IEC 27035 – Incident Management
- Gives a step-by-step approach for:
- Preparing response capabilities
- Detecting and reporting incidents
- Assessing and responding quickly
- Post-incident learning
Helps users contain and eradicate a zero-day once it’s spotted.
QKS Group Principal Analyst Sujit Dubal suggests a comprehensive approach. “Zero-day vulnerabilities are no longer just a patch management problem; they expose the very limits of reactive security. Exposure Management brings compliance, risk frameworks, and adversarial validation together into a continuous cycle ensuring that even when a patch does not exist, organizations have the governance, visibility, and mobilization needed to contain impact and demonstrate resilience,” Sujit advises.
ISO/IEC 22301 – Business Continuity
- Ensures users have backups, redundancy, and recovery plans so operations can continue even if a zero-day causes an outage.
Final word
ISO frameworks don’t combat exploitable bugs and zero-day vulnerabilities by themselves. What they do is to give people, processes, and technology enough “prep time” to ensure users are prepared to deal with all types of threats.
- Hardening systems in advance
- Detecting suspicious behaviour quickly
- Responding, patching, and recovering from the incident in a controlled way