How to Quickly and Easily Achieve ISO 27001 Compliance
If you’re in cybersecurity or an IT professional, you’ve probably heard of the ISO/IEC 27001 standard for information security management systems (ISMS). Implementing the ISO 27001 standard provides many benefits to organizations, including helping them comply with data privacy laws such as the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
You can find the core requirements for the ISO/IEC 27001 in clauses 4 through 10, which help organizations identify, assess and treat information security risks. Additionally, a comprehensive list of controls under Annex A enables organizations to manage those risks. While ISO 27001 does not formally mandate specific security controls, organizations are free to choose which controls are applicable to their particular scenarios. Organizations that seek further information on implementing these security controls typically refer to ISO/IEC 27002 (a companion standard to ISO/IEC 27001), which provides a detailed guidance for implementation.
Organizations looking to achieve ISO/IEC 27001:2013 compliance are required to show sufficient evidence to auditors that they’ve put into place the necessary security controls from Annex A. To view the list of relevant controls, check out table at the end of this blog.
As with many data compliance regulations, achieving ISO 27001 compliance takes time and planning. In this post, we’ll outline how Duo solutions can help you quickly and easily achieve ISO 27001 to ensure your organization is in compliance and stays that way.
Below are the specific security controls that Duo’s solutions can help you satisfy with ease:
A.9 ACCESS CONTROL
One key way to provide evidence to auditors is to show that proper access control policies have been enforced. This section mainly provides a list of controls to ensure that only the right people can access the network. Here are some of the functionalities that administrators can leverage for controls.
How Duo helps:
A.9.1.2: Duo Access can help IT administrators implement Role-Based Access Control (RBAC). Admins can define access policies per user or per application based on business requirements. Administrators can leverage additional context such as a user’s location or network before granting access.
A.9.2.1: All Duo editions enable administrators to create a list of users that would require access to business systems. In addition, Duo helps administrators to focus on their critical responsibilities and offload routine tasks such as new user enrollment by empowering users with self enrollment.
A.9.4.1: All Duo editions provide administrators with the ability to restrict access to protected applications based on the principle of least privilege.
With Duo Beyond administrators can additionally restrict access to internal information systems that are hosted locally or in AWS or Azure.
A.9.4.2: All Duo editions provide secure multi-factor authentication through multiple methods such as Duo Push notification, U2F, SMS or voice call. Duo’s authentication is completely independent of the primary authentication workflow, providing an added layer of security. Further, administrators can control the procedure for a second-factor authentication method based on group or application, reducing the risk of compromised credentials and preventing lateral movement.
A.9.4.4: With Duo Network Gateway, administrators can restrict access to internal servers based on user groups. Duo also integrates with privileged access management solutions such as CyberArk to add a layer of authentication. Finally, the solution itself includes multiple administrative roles to enforce strict access controls.
A.9.4.5: All Duo editions provide two-factor authentication to restrict access to source code repositories. Additionally, Duo Beyond restricts SSH access to network if your organization is storing source code on internal servers such as Github.
A.12 OPERATIONS SECURITY
The controls in this section of ISO 27001 provide guidance to ensure proper operating procedures are followed, including how event logs are recorded and protected.
How Duo helps:
A.12.4.1, A.12.4.2, A.12.4.3: All Duo editions produce detailed logs for every event from end user login activities to changes made by administrators. These logs can be imported into your log management tools for analysis. In addition, Duo can help protect against unauthorized access to those log management tools such as Splunk.
A.13 COMMUNICATIONS SECURITY
This section deals with network security management to ensure the organization has the right systems in place to protect information in their networks.
How Duo helps:
A.13.1.1: Duo Beyond enables organizations to enforce zero-trust principles by establishing user and device trust for secure access to services and applications across hybrid environments.
A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
This section prescribes the controls required to secure the entire development lifecycle for applications and services delivered over public networks.
How Duo helps:
A.14.1.2, A.14.2.6, A.14.3.1: Duo Access enables organizations to set adaptive authentication policies based on user roles, device health, user location and network. Administrators can better protect the organization’s intellectual property by implementing need-to-know access controls. To restrict access to certain areas of the network such as development and test environments, administrators can simply create designated user groups based on roles and responsibilities.
The compliance section lists the controls needed to adhere to legal and contractual requirements such as protecting customer information.
How Duo helps:
A.18.1.3, A.18.1.4: All Duo editions protect sensitive data such as customer records and personally identifiable information (PII) by verifying the identity of the users seeking access and the health of the users’ devices. The solution provides a powerful combo of contextual user access policies and device based access policies that enable administrators to easily prevent unauthorized access.
ISO 27001 compliance can provide many benefits for an organization. Duo Security helps you achieve compliance quickly and easily by satisfying the controls required to secure access to your information systems. To understand how Duo works, try it yourself for FREE here.
Appendix : Table of Controls
User registration and de-registration - A formal user registration and de-registration process shall be implemented to enable assignment of access rights.
Information access restriction - Access to information and application system functions shall be restricted in accordance with the access control policy.
Secure log-on procedures - Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure.
Use of privileged utility programs - The use of utility programs that might be capable of overriding system and application controls shall be restricted and tightly controlled.
Access control to program source code - Access to program source code shall be restricted.
Event logging - Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed.
Protection of log information - Logging facilities and log information shall be protected against tampering and unauthorized access.
Administrator and operator logs - System administrator and system operator activities shall be logged and the logs protected and regularly reviewed.
Network controls - Networks shall be managed and controlled to protect information in systems and applications.
Securing application services on public networks - Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification.
Secure development environment - Organizations shall establish and appropriately protect secure development environments for system development and integration efforts that cover the entire system development lifecycle.
Protection of test data - Test data shall be selected carefully, protected and controlled.
Protection of records - Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.
Privacy and protection of personally identifiable information - Privacy and protection of personally identifiable information shall be ensured as required in relevant legislation and regulation where applicable.
Access to networks and network services - Users shall only be provided with access to the network and network services that they have been specifically authorized to use.
Learn how Duo can help. Start your free trial.