Here at Unleashed, we take a very different approach to what we do with ISO 27001 compliance. There is a whole world of consulting around the ISO Management System Standards. This tends to focus on the compliance and adherence to the letter of the standards – paperwork, paperwork and more paperwork!
Whilst the consultants are great at getting your systems accredited by your chosen Certification Body, what they may struggle with is the actual practical implementation of technology controls for your Information Security. Our take on the ISO standard in Information Security Management – ISO 27001 is to look at the IT based controls and ensure that the necessarily technology is in place and working in your organisation so that you can prove during your audit, that these things exist.
For me personally as an IT Consultant, I have a dual background. I spent many years developing Management Systems for ISO 9001, 14001 and OHSAS 18001. I’d already seen the benefits of using IT to quickly enable accreditation – processes and procedures for me, where inherent in how the software applications do things. ISO 27001 in Information Security is a different story.
Being Practical about ISO 27001 Compliance
You may have both an ISO 27001 consultant and an existing IT Consultancy working with your firm already, and neither may be prepared for the actual physical work that needs to be done on your IT infrastructure to fully achieve and maintain ISO 27001 Compliance.
With ISO 27001 there’s a lot more practical thinking to be done than any other mainstream ISO standard – the classification of your internal documents, considering record retention periods and the most important – developing that top level risk assessment. Out of all that work comes your controls. A control may be a firewall, adequate antivirus system, or even permissions auditing.
This is where the management systems cross-over to the world of IT Consultancy.
Unfortunately, Microsoft have not armed the IT Professional with a good set of tools in Windows Server operating systems to take care of all this work. There are two very significant gaps – that require external tools.
- User account permissions and auditing – as ISO 27001 would call it “User access management”
- Logging and monitoring – ISO 27001 would call it “Monitoring” or “Audit Logging”
User Access Management
There are numerous tools on the market, and we can tell you about them all – however our favourite at the moment is 8man. This is a tool that allows you to audit, correct and develop effective internal processes to manage User Access Management.
There is a particular problem with the Microsoft NTFS permissions set-up that nested groups (active directory groups that belong to groups) causing recursion and the eventual granting of unintended access to the wrong users to the wrong information asset – whether this be a folder, SharePoint site or line-of-business application such as SAP. 8man takes all this pain away and can also provide self-service permissions requests portals making the process less painful for IT.
Of course, those of us who have worked in IT Manager, know all too well the issues with granting access to users to folders. Whilst you may have spent hours creating groups, adding users to those. Quite frequently, the business wants a responsive change and the helpdesk can easily add those users to the wrong group or directly to the folder.
The insight, visibility and process of all of this can be changed with 8man, which will smooth your compliance to ISO 27001.
Monitoring and Audit Logging
Just about all IT systems create logs, you only need to go into Windows Event Viewer to see a snapshot of those. However, your hardware such as your firewalls and switches will also be doing the same. Again though, none of the manufacturers such as Microsoft give you a good place to gain insight on what you see. It’s simply a line with some diagnostic information.
In the world of Security Incident and Event Management (SIEM) there could be multiple applications that look after this. Not only from an ISO 27001 perspective, do you need to know what monitoring of users is being done, but also that of suspected breaches. Should a breach happen, you’ll also be required to get all the evidence of that to comply with the local authorities such as the police. These tools are more important than you may think – regardless whether you’re working towards ISO 27001 or not.
There are tools such as Observe-IT and that look at the internal users and record data along those lines – really what they’re doing is some degree of Data Loss Prevention. Then there are tools such as Splunk and LogRythm that look at the entire IT estate, consolidate and index the data and give you visualisations and alerts as to what’s really going on. Splunk and LogRythm being a true SIEM solution.
The important thing to remember about such tools is that there are many, we’ll help you find the right one at the right price point. Unleashed are completely vendor agnostic and work with all solutions to find the best fit.
Next steps
If you’re struggling with the practical side of your ISO 27001 compliance project and need some practical help from tech-savvy ISO implementers, then we’d love to help. We can work with your existing audit teams and even external consultants to ensure that the IT side of your compliance doesn’t let you down.
We pride ourselves on being about as approachable as you can get, and if you’d just like a free no obligation chat – then we’re more than happy to talk about what we know. Just contact us here.
