ISO 27001 Summary for the Practitioner - How to Comply
ISO 27001 is a standards for cybersecurity management. It is widelty used and relied upon in the financial industry and other industries for structuring their internal processes. It is also widely used for assessing the cybersecurity capabilities of vendors.
ContentsWhat is the ISO/IEC 27001 standard ISO/IEC 27001 and SSH ISO/IEC 27001 controls and SSH guidance What organizations need to do next?
What is the ISO/IEC 27001 standard
The International Standard for Standardization (ISO) and the International Electrotechnical Commission (IEC) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of international standards through technical committees. The ISO/IEC 27001 was prepared by Join Technical Committee ISO/IEC JTC 1, Information Technology, Subcommittee SC 27, IT Security techniques.
ISO/IEC 27001 standard has been prepared to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The design and implementation of an organization’s ISMS is influenced by their needs, objectives and security requirements.
The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
Lastly, the standard adopts the “Plan-Do-Check-Act” (PDCA) model which is applied to structure all ISMS processes:
Plan: basically establish the ISMS policies and objectives relevant to managing risk;
Do: implement and operate the ISMS policy;
Check: assess and measure process performance against policy;
Act: take corrective and preventative actions based on results of internal ISMS audit.
ISO/IEC 27001 and SSH
The requirements within ISO/IEC 27001 are generic and intended to be applicable to all organizations, regardless of type, size and nature. The standard promotes the definition or risk assessment approach that allows organizations to identify, analyze and treat security risks.
Unauthorized access to protected information is a key risk that needs to be continually addressed. ISO/IES 27001 controls clearly spells out the need to define roles and responsibilities, ensure authorized access and monitor all access on a regular basis. Given the fact that the SSH protocol comes bundled with all production components, has been propagating over the years without visibility and poorly (if at all) managed as part of the provisioning or governance processes makes it a critical access gap that must be addressed as organizations seek ISO/IEC 27001 certification.
ISO/IEC 27001 controls and SSH guidance
The ISO/IEC 27001 framework paves the way for organizations to establishing a security program from inception, to leadership, to evaluation and continuous improvement and auditing. Organizations seeking the ISO/IEC 27001 certification typically undergo a rigorous sequence of events in an effort to ensure a solid ISMS spanning the entire organization.
As with any framework, organizations must adhere to a mandatory list of requirements that are tested and audited regularly. Below is a sampled list of few key controls and how SSH communications security solutions help ensure compliance:
|Control description||SSH Guidance|
|A.6.1.2 Segregation of duties: Conflicting duties and areas of responsibilities shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.||Properly configured and deployed Our products will further enhance your logical access controls. It can support your defined roles and responsibilities and only grant access based on approved roles.|
|A.9.1.2 Access to networks and network services: controls should be in place to ensure users only have access to the network resources they have been specially authorized to use.||Our products help identify connections from unknown sources and alert on any changes to configurations or SSH keys. It also provides monitoring and logging capabilities in combination with a DLP solution to detect and automatically terminate any unauthorized sessions.|
|A.9.2.3 Management of privileged access rights: The allocation and use of privileged access rights shall be restricted and controlled.||Our products are critical in supporting privileged access controls. They support three basic principles of privileged access: Approval, logging and monitoring and the post activity reviews.|
|A.9.1.1 Review of user access rights: a process to review access rights to their assets on a regular basis.||Our products support the activity review process and the basic principles of approval, logging, monitoring, and post activity reviews.|
|A.9.2.6 The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement.||Properly configured and deployed Our products will further enhance your logical access controls. They support your defined roles and responsibilities and only add, change and remove access based on approved requests.|
What organizations need to do next?
Organizations seeking ISO/IEC 27001 certification must adhere to key requirements and undergo audits on a regular basis. These mandatory requirements vary from ISMS scope definition, security policy definition, risk assessment process, risk assessment treatment, evidence of competence, evidence of monitoring, evidence of audits, and many more. The one common theme to many of these mandatory requirements is “trusted access.” As organizations learn more about the hidden credentials – SSH keys – the more they realize the critical need to manage this elevated type of access.
Encrypted and unmanaged privileged access is a security risk that no organization should face. Organizations that want to ensure compliance with ISO/IEC 27001 access controls, took the initiative to start identifying where are these SSH keys granting that are access to their production environment. As with any access provisioning or governance processes, access must be locked down, adjusted per roles and responsibilities and monitored for ongoing compliance. SSH Communications Security offers solutions and services that ensures compliance with the stated controls. They provide the assurance that all SSH keys access is accounted for, monitored and audited.