If you’ve decided to hunt down and capture ISO 27001, you’re probably basking in the glory of a major standing ovation for a magnificent display of metaphorical cojones. ISO 27001 is the big momma of standards of data security. Attaining it isn’t just a badge of IT honor. It’s proof that your cyber security compliance game is top rank, and it’s your passport to business credibility.
But let’s be honest. ISO 27001 is hard work. It’s a whole-system thing, not just a sketchy lock on your server cupboard door, so it’s good to tattoo on your forehead exactly why you’re doing it. In this article, we’ll look at the ultimate ISO cyber security compliance checklist, but before you jump right into it, you need to consider a few things.
Remember Why You’re Doing It
You’re doing it because your business means business, and you know the importance of data security. Attaining ISO 27001 certification means:
- You’ll discover and fix your data danger areas, potentially saving thousands of dollars in downtime, lost reputation, lost clients, etc.
- You’ll improve your systems and upskill your people.
- You’ll be audit-ready for most other compliance regimes like SOC 2, SEC, and HIPAA.
- Doors to more significant contracts and opportunities will open as if by magic. Your high ISO 27001-flavored data security standards will help with pre-qualifiers and reassure those enterprises with money to spend (on you).
- Sweet, sweet peace of mind. You’re managing risks like a grown-up. You’ve done everything right. You’re probably even filing your tax returns on time.
Here’s a total oversimplification of ISO 27001 and its controls, followed by a cheeky, easy and effective way of locking some of those bad boys down.
What is ISO 27001?
ISO 27001 is the leading international standard that focuses on protecting information. Developed by the International Standards Organization (ISO) and the International Electrotechnical Commission (IEC), it intends to help any organization handle data security systematically. It’s part of a more comprehensive series of standards—the famed ISO/IEC 27000.
The standard is served in two courses:
- The main course, ISO 27001, has 11 sections that overview key areas such as leadership, planning, performance evaluation, and support.
- The dessert, Annex A to ISO 27001 (also known as ISO 27002), contains 14 domains, highlighting 14 different types of controls and outlining the 114 controls themselves. Yup, 114.
The Big Three Aspects of ISO 27001
Overall, ISO 27001 considers three aspects of data security:
- Confidentiality: only authorized people can have access to data.
- Availability: the data must be accessible to authorized people whenever required.
- Integrity: only authorized people can make changes to data.
You’ll address these three aspects by creating and using an Information Security Management System (ISMS). An ISMS sounds complex, but it’s just common sense and gives you a direction of travel. You’ll probably already have parts of an ISMS in place. It asks of you the Who, What, and How of data security in your organization, for instance:
Who:
- Who are your stakeholders concerning data security in your organization? You’ll identify the context of your organization and interested parties, e.g., people like your clients, suppliers, employees, insurers, IT team, and legal bodies.
- Who’s leading the charge for IS0 27001? Who’s responsible or accountable for which aspects of data security? For instance, your IT lead might be responsible for implementing the controls, but all your people are responsible for correctly recognizing and handling phishing emails.
What:
- What objectives are needed to keep data safe?
- What are the current risks to data security?
- What resources do you need to support the people in your organization to comply?
How:
- How should you ideally keep data safe?
- How should you improve the controls you have?
When you’ve identified and implemented your data security controls, your ISMS will help you continually monitor, measure, and improve them.
ISO Cyber Security Compliance Checklist 27001: MDM
If you’re still reeling from the mention of 114 controls, don’t panic because you got this. Especially if you’re enjoying Mobile Device Management (MDM), which wasn’t purpose-built for ISO 27001, but it can be so powerful that it should be. For instance, our own Ignition-flavored MDM checks off 28 of the 114 ISO 27001 controls, across eight of the 14 domains. That’s nearly 25% of the whole caboodle.
If you don’t believe that anything in this life can be so wonderful, here’s a speedy run through of the Annex A controls that our MDM satisfies. Let’s take a look:
Annex A.8: Asset Management
This beauty covers identifying your information security assets (i.e., your processing and storage devices, as well as the data itself), who’s responsible for the data security, and how the assets should be handled. Grab a hold of our scripted asset register, cutely named our Fleet Sheet, and you’re compliant with four controls:
8.1.1. Maintain an inventory of assets
8.1.2. Identify user ownership of assets
8.1.4. Ensure a return of assets of terminated users
8.3.1. Implement removable media procedures
Annex A.9: Access Control
This does what it says on the tin. This set of controls prevents unauthorized people from accessing your data. Our MDM protocols satisfy a whopping nine controls:
9.1.2. Limit network access to authorized users only
9.2.1. Establish user registration and de-registration procedures
9.2.2. Establish user access provisioning procedures
9.2.3. Restrict privileged access rights
9.2.6. Remove or adjust access upon termination or role change
9.4.1. Restrict access per the access control policy
9.4.2. Implement secure log-on procedures
9.4.2. Implement a password management system
9.4.4. Restrict use of privileged utility programs
Annex A.12: Operations Security
These controls protect your IT systems—including operating systems and software—against data loss, and include weird stuff like making sure that data security audit is managed, so it doesn’t get in the way of operations. Our MDM covers five controls:
12.2.1. Implement malware detection, prevention, and recovery controls
12.4.4. Synchronize system clocks to a reference time source
12.5.1. Implement procedures to control the installation of software on operational systems
12.6.1. Manage information about technical vulnerabilities
12.6.2. Restrict software installation
Our MDM also covers:
- Two controls of A.6: Organization of information security
- One of A.10: Cryptography
- Three of A.11: Physical and environmental security
- Two of A.14: System acquisition, development, and maintenance
- One of A.18: Compliance
If you’re feeling a little bamboozled by annexes, numbers, and controls, don’t worry, because it’s normal to feel this way at the start of your ISO 27001 adventure. Soon you’ll be fluent in the language and structure of ISO 27001, and it’s worth it because the rewards are huge.
If you’d like to explore how we can help you achieve the best ISO cyber security compliance checklist 27001-flavored, give us a call. We’re here to help!