Looking to get ISO Certified? We Can Help.
It’s 2022 and, chances are, compliance is a key talking point on the immediate agenda at your enterprise.
It may stir excitement (we see you, Compliance Officers 👋🏽), or make you roll your eyes (the rest of us), but at the end of the day, no business wants to end up facing criminal charges for breaking the law – and that’s where compliance standards and frameworks come in.
There’s a fair few of them floating around, take CCPA, HIPAA, GDPR, SOC 2, ESG, HI-TRUST, CSA STAR for example. Some have various letters and numbers appended, referring to various focus-areas, but today we’re focusing on one of the certifications that we can actively help your organization to achieve:
- ISO 27001 – The International Organization for Standardization 27001, Information Security Management Systems
ISO for Dummies
Part of the ISO / IEC 27000 series, ISO 27001 is all about efficiently and effectively handling information security through the adoption of an Information Security Management System (ISMS). It’s suitable for organizations of any size and, as an international standard, is recognized globally.
Advisera’s ISO 27001 Academy describes the standard as aiming to protect the following three aspects of information:
- Confidentiality – Only the authorized persons have the right to access information.
- Integrity – Only the authorized persons can change the information.
- Availability – The information must be accessible to authorized persons whenever it is needed.
Achieving this certification ain’t easy, oh no. The process is arduous, lengthy, and soul-destroying (trust us – we’ve just gone through it ourselves), but it’s worth it.
It feels good, looks good to your existing, prospective, and potential customers (as well as existing and future suppliers), but most importantly, it does what it sets out to do: manages risk, minimizes errors, and ensures all operations are conducted responsibly and safely. What follows is sustainability, employee satisfaction, and a continually improving and competitive company.
So, to the million-dollar question: how can we help you get certified?
PAM-Related Controls in ISO 27001
If you’ve started the ISO-certification process, you’ll be aware that there is an abundance of requirements your organization must implement and show proof of in order to pass audit, in the form of security controls.
Some of these controls relate directly to Privileged Access Management (PAM); take the following Annex A controls:
- A.9.2 User Access Management – A.9.2.3 Management of privileged access rights. Control: The allocation and use of privileged access rights shall be restricted and controlled.
- A.12.5 Control of Operational Software – A.12.5.1 Management of privileged access rights. Control: Procedures shall be implemented to control the installation of software on operational systems.
- A.12.6 Technical Vulnerability Management – A.12.6.2 Restrictions on software installation. Control: Rules governing the installation of software by users shall be established and implemented.
Kill Two Birds with One Stone
So, let’s say you didn’t set out looking for a PAM solution, but you are in the midst of working towards your ISO cert – we can help you kill two birds with one stone: compliance and security.
Admin By Request tackles User Access Management (Control A.9.2) by allowing the instant removal of your users’ local admin rights, and the ability to view and manage which users have what privileges via a user-friendly Portal. It’s not all about restriction though: your now-standard users are able to gain elevated access on an as-needed, Just-In-Time basis – ticking off the ISO requirement, ensuring security for your endpoints, while maintaining user-productivity.
When it comes to controlling software installs (Controls A.12.5 and A.12.6), users must gain elevated privileges before they can download files and install applications. To gain elevation, they need to provide a reason for the install and, depending on your User Portal settings, wait for remote approval from an IT admin before it can go ahead. An extra layer of security comes in the form of OPSWAT MetaDefender’s multi-scanning tool, which scans all downloaded files with over 35 antimalware engines, with malicious files flagged and quarantined to be dealt with. Again, meeting ISO controls while protecting your network and organization from malware and cyberattacks.
There’s a whole lot more that comes with the Admin By request solution, such as an extensive Auditlog which monitors and records all elevated activity, a comprehensive hardware and software inventory of all of your connected devices, Break Glass / LAPS-replacement feature to create temporary local admin accounts, detailed Reporting capabilities, the ability to lockdown endpoints to a single user, and more… but let’s talk about getting you ISO certified before we go into all that.
Get in Touch
ISO certification is a mammoth process, but adopting an effective Privileged Access Management solution is a cost-effect and sure-fire way to tick off a number of controls and help get you over the line – while also providing comprehensive security for your entire enterprise.
Get in touch with us today for compliance AND security.