The great poet Tennyson said, “In the spring, an IT specialist’s fancy turns to thoughts of ISO 27001 Annex 9,” and we couldn’t agree more. As every romantic knows, Annex 9 to the standard covers the joys of access control. If you’re aiming for ISO 27001, you’ll be jumping through 14 access control hoops. Sounds daunting, right? Nope, because your robust Mobile Device Management (MDM) system checks pretty much all the boxes.
Annex 9: Access Control: a super-quick guide
Annex 9 makes sure that only the right people get access to the right stuff at the right time. It sounds simple, but it’s more than clever pa55w0rds. Annex 9 requires you to select and deploy digital and physical controls across locations, networks, infrastructure and user sessions, and to pay attention to access control as your business operates and changes.
Annex 9 focuses on four key areas:
- Policy: Annex 9.1 requires you to create and review company policy on access control. You’ll be clarifying and documenting formal roles and responsibilities, who needs access to what, and how you manage it.
- Access: 9.2 requires you to manage and review access, including user provisioning, authorization and restriction; to manage privileged access rights; and to control secret authentication information such as encryption.
- User responsibilities: 9.3 requires you to help your people follow good access control practices and policy.
- Unauthorized access prevention: 9.4 and 9.5 require you to take steps to stop the bad guys getting their mitts on your data. You’ll be looking at secure log-ins, information access restriction (such as role-based access), password management, and controlling access to utility systems and source code.
BONUS! If you’re in a supply chain that contracts with the Department of Defense, you’ll need to demonstrate CMMC compliance for the auditors and your primary contracts pretty soon. Don’t panic, because Annex 9 can cover a lot of ground with respect to control of access to CUI, whether yours is consolidated or dispersed. And guess what? Your MDM will help with this, too!
How your MDM takes on Annex 9
Your MDM is a thing of beauty, a constellation of moving parts and behind-the-scenes deliciousness that monitors, manages and secures your mobile endpoints such as smartphones, laptops and tablets. An MDM is a no-brainer when it comes to remote working. When you open up the MDM hood and take a look underneath, you’ll find a range of services, tools and activities that promote compliance with a whole shedload of Annex 9. Here are just a few examples:
Automated encryption
Take that, 9.4! This section of the annex covers prevention of unauthorized access, and MDM’s automated encryption functionality delivers big time. If a device used for business is lost or stolen, encryption prevents an unauthorized person from accessing sensitive business data. And, just for fun, encryption also supports 9.4.2 as part of a secure log-on procedure.
Remote device management
The beauty of this MDM function is that it hits many of Annex 9’s requirements in one sitting. Here are just some examples:
- Role-based access control: Configure access and provision your people with only what they need for their role. Restricting access on a need-to-know or need-to-do basis underpins the entire Annex 9 philosophy. Your inner geek will recognize and luxuriate in the principle of least privilege doing its thing.
- User provisioning: Both zero-touch and conditional access provisioning allow you to onboard new hires only with what they need. MDM security protocols also prevent provisioning being completed before their identity is authenticated.
- User deprovisioning: Someone leaving the company? Say “Good luck in your new role” the friendly way by revoking their access rights immediately. Bonus! If a team member disappears on you, your recovery key will help you access the data on their device.
- Enforcing security protocols: Control access even more tightly by configuring and pushing security protocols, enforcing operating system upgrades, and deploying access permission levels.
- Policy support: MDM helps you evolve your corporate access control policy, as experience shows what you need to change. It will also leave an audit trail to demonstrate to auditors that you’re putting your policy into practice.
Cloud Single Sign-On
Here at Ignition IT, we serve up a tasty helping of Cloud Single Sign-On (Cloud SSO) with our MDM, and this dynamic duo contributes a whole heap more to Annex 9 compliance. Cloud SSO is a key stage in conditional access onboarding, and also eradicates the risk of weak and insecure passwords. Choose to reinforce your single point of entry with layers of extra security such as multi-factor authentication and your log-in procedures couldn’t get much more secure.
Delighting ISO 27001’s Annex 9 is only one of a MDM system’s many talents. If you’d like to find out what else an MDM can do for your business, give us a call. We’re always happy to help.