The International Organization for Standardization (ISO) is a non-governmental organization for setting proprietary, industrial and commercial standards. In the context of data security, ISO 27001 provides standards for developing and implementing information security policies and processes.
Such standards are not enforced, but instead provide a framework to help organizations satisfy the relevant compliance requirements. It is a good idea for businesses to be ISO 27001 certified because it will improve their reputation, and of course, minimize the likelihood of a data breach.
While there are no direct legal implications of failing to comply with the standards set by the ISO, businesses who fail to comply may struggle to operate in certain geographical locations. To get an ISO 27001 certification, organizations are required to hire an external certification body to carry out a review of their information security management system (ISMS), which includes policies and processes relevant to how data is controlled and used.
Additionally, organizations are required to provide evidence that their ISMS is being adhered to, which includes follow-up audits that are agreed between the organization and the certification body. Complying with ISO 27001 is a challenge, to the say the least. The purpose of this article is not to provide a detailed breakdown of the specification, but to provide a brief summary of the steps that need to be taken to become certified, along with the technologies that can be used to simplify the process.
To comply with ISO 27001, the auditors will be looking for documentation relating to:
- The Information Security Policies in place, including information about how often these policies are reviewed.
- Organizational charts detailing who is responsible for what data. The documentation should also provide information about access privileges, including who is responsible for assigning and monitoring them.
- The procedures for on-boarding and off-boarding, including information about educating new employees about cyber-security best practices.
- Methods for securing data, including any tools and technologies used.
- How data is collected and stored, including information about where sensitive data is located.
- How data is encrypted, including the encryption algorithms used.
- The physical security controls in place, including how access to the physical data centers is permitted.
- What communication channels are used, and how data is kept secure using those channels.
- The procedures for introducing new systems and technologies.
- The procedures for interacting with third parties, such as contractors and vendors. The auditors will review any Business Associate Agreements (BAA) that are in place.
- Incident response policies for both physical and technical incidents.
- Evidence that the organization is compliant with the relevant regulations.
With the right tools and technologies, becoming ISO 27001 certified can be made a lot easier. For example, Data Security Platforms help to satisfy many of the above requirements. Using such solutions, organizations can generate a wealth of pre-defined reports that relate to specific ISO 27001 articles. These reports can be given to the auditors as evidence that they have complete visibility into how their data is organized and managed. Most sophisticated DCAP solutions provide built-in data discover tools, which can automatically discover and classify a wide range of data types, including PII, PCI and ePHI
Knowing exactly where your sensitive data resides will make it easier to assign the appropriate access controls. They will also detect changes to privileged accounts and changes made to configurations in key data stores. They can detect suspicious file and folder activity and privileged mailbox access. Again, all of this information can be easily delivered via screenshots and reports.