ISO/IEC 27001 Compliance Solution
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) are world-renowned organizations that issue industry-specific standards. For information security management, they established the ISO/IEC 27000 family of standards that provides organizations with requirements, best practices, and recommendations for ensuring full-scale data security.
The ISO 27001 standard specifies requirements for information security management systems (ISMSs). It includes 14 major controls that describe policies and processes for managing and protecting data.
Ekran System can help your organization comply with ISO 27001 by providing you with tools for monitoring and logging user actions, managing access to sensitive resources, responding to security events, and auditing suspicious activity. Also, Ekran System’s own quality management system and ISMS comply with ISO 9001 and ISO 27001.
Who needs to comply with ISO 27001?
ISO 27001 certification is completely voluntary and can be obtained by any company that has an information security management system. Despite being optional, however, the implementation of ISO 27001 requirements one of the most popular ones according to Gartner. The reason behind this popularity is the vast number of benefits this certification can bring to an organization.
A lot of ISO 27001 requirements align with other requirements such as those imposed by the GDPR and NIST. To get certified, you need to contact your local ISO 27001 certification body, pass an initial audit, and prove your compliance with yearly surveillance audits. Deploying dedicated software such as Ekran System eases the audit process and helps you pass it successfully.
Implementing ISO 27001 controls with Ekran System
Ekran System is an all-in-one insider threat management platform that covers six of the most important ISO 27001 controls:
Organization of information security. Deploying Ekran System helps you establish a cybersecurity management framework. This platform provides you with the means to grant access privileges and monitor the activity of regular users, privileged users, and remote employees. By doing so, you’ll be able to meet the following requirements:
- A.6.1.2. Segregation of duties
- A.6.2.2. Teleworking
Asset management. You can detect, manage, manually or automatically approve, and block any connection of a USB device to an endpoint monitored with Ekran System. This functionality covers the following control:
- A.8.3.1. Management of removable media
Access control. Ekran System provides you with a robust access control and management toolset that includes an access request and approval workflow, secondary authentication, multi-factor authentication, and time-based access restrictions. With these tools, you’ll be able to granularly control access, manage user rights in a few clicks, and detect and stop security violations in real time.
Ekran’s password management functionality securely handles user credentials and secrets, providing an additional level of access protection.
This set of access management tools helps you comply with such ISO 27001 requirements:
- A.9.1.2. Access to networks and network services
- A.9.2.3. Management of privileged access rights
- A.9.2.4. Management of secret authentication information of users
- A.9.2.5. Review of user access rights
- A.9.2.6. Removal or adjustment of access rights
- A.9.4.1. Information access restriction
- A.9.4.2. Secure log-on procedures
- A.9.4.3. Password management system
Operations security. User activity monitoring is one of the core functionalities of Ekran System. This solution monitors and logs each user action on protected endpoints and couples context-rich recordings with searchable metadata: names of opened files and folders, connected USB devices, accessed URLs, executed commands, etc. Monitoring data is protected with AES-256 encryption and is easy to review and analyze. All encryption algorithms use FIPS 140-2 certified encryption implementations. With this functionality, you can implement these controls:
- A.12.1.2. Change management
- A.12.4.1. Event logging
- A.12.4.2. Protection of log information
- A.12.4.3. Administrator and operator logs
- A.12.7.1. Information systems audit controls
Supplier relationships. With Ekran System, you can monitor the activity of third-party vendors just as easily as the activity of your own employees. The software logs their activities, manages access, and controls privileges. Vendor actions can be reviewed online or in records. This functionality corresponds to the following control:
- A.15.2.1. Monitoring and review of supplier services
Information security incident management. Being a full-cycle cybersecurity platform, Ekran System provides you with the means to detect and respond to cybersecurity incidents. You can assess suspicious user actions online, educate users on security violations, and block suspicious processes, sessions, or users. After an event, you can review and analyze logs, generate reports on the event, and export data for forensic investigation. Using Ekran System, you can implement these ISO 27001 security controls:
- A.16.1.2. Reporting information security events
- A.16.1.4. Assessment of and decision on information security events
- A.16.1.5. Response to information security incidents
- A.16.1.7. Collection of evidence
For more information on ISO 27001 compliance with Ekran System, take a look at this chart.