ISO 27001 update gives a cloud callout to help you build your security practice
For many years, the ISO 27001 certification has been an industry benchmark to show compliance with standard security practices. It’s a way for a company to objectively measure itself in order to understand its security posture and to give confidence to executive leaders and boards that the security team is doing everything they can to protect the companies and their customers’ data.
If you’ve never worked in compliance before, there can be the impression that achieving compliance is a simple checklist when in fact, the opposite is true. There tends to be a lot of “wiggle room” in compliance certification that allows for auditors to be flexible and accommodate the fact that all businesses operate differently. This is beneficial in the fact that it allows for flexibility, but can be troublesome in that it forces companies to provide a lot of evidence to show adherence to the standard.
As a security executive, I’ve used the ISO framework as a way to measure how serious my 3rd party suppliers were about security. Instead of forcing the suppliers to answer dozens or hundreds of security questions, I would rely on industry certifications like ISO27001 to provide the assurances I needed that they took security seriously.
What’s new with ISO
In the last 10 years, the security world has changed dramatically. The shift away from traditional data centers has changed the way we think about security. Instead of data centers, firewall rules, and software testing, we talk more about infrastructure as a service (Iaas), DevOps, and Threat Intelligence. In order to keep up with this mercurial industry, ISO released a new version of the 27001 framework.
The changes keep a lot of the original controls, but make some significant additions that are worth talking about. These new updates focus on items like cloud security, threat intelligence, and secure development which are front and center when securing a modern development environment. It ensures that companies that rely on ISO27001 as evidence of property security controls, can continue to rely on it given the changes in security that have occurred in the 10 years since the last update was released.
One of the most significant changes involves the addition of control 5.23 which has requirements around information security for the use of cloud services. In the previous version, cloud security was covered in an overall larger bucket related to managing the security of services provided by 3rd parties. For example, during an audit, cloud services were covered, but there was room for interpretation on how to manage and audit those services. This new control specifically talks about using a responsibility matrix to define security responsibilities between the cloud services provider and the customer. It then lays out that you should have controls in place to manage, secure, and monitor the cloud services according to the responsibilities in the matrix.
This addition to the ISO 27001 framework is great for helping secure the use of 3rd party services. It also ensures that cloud service customers have methods in place to monitor and secure their workloads.
Another new edition to ISO 27001 is control 5.7 for Threat Intelligence. There are new cybersecurity threats detected all the time so it’s important for organizations to have a way to understand, alert, and monitor for new threats that may impact their data and infrastructure. The new control ensures that not only is threat intelligence data received, but the data must also be actionable. It has to map back to an organization’s risk management process and also into the controls and processes related to testing.
Configuration Management was also added as a new item to the ISO 27001 update. This details the need for an organization to document, implement, and monitor the configurations of its resources. Many companies start out well by establishing secure standards and baselines for their resources (like servers and firewalls), but in a DevOps world where changes happen quickly, the baselines can inadvertently be updated or changed. It’s equally important to ensure the established baselines are monitored for adherence. This can guarantee security standards are met and also track security incidents back to unauthorized changes.
A final noticeable update is related to Secure Development. Since the ISO27001 2011 release, application security has become a bigger focus in the security industry, specifically as it relates to including application security testing in the development pipeline. The 2022 update addresses this by calling out that securing coding should be applied during software development. Many times in the previous version of ISO 27001 this was implicitly implied, but it’s a big step forward to see this explicitly called out. It addresses a large industry trend that should be a standard security practice.
Why you need it
Being ISO compliant helps show that your security program, and those in your supply chain, have a proper program and processes in place.
This standard is interesting as a CISO because it deals more with showing that your company has an overall security program, called an Information Security Management System (ISMS). And while it’s challenging, going through the process of ISO 27001 compliance, it helped highlight gaps in the security program that I was building. As a leader, sometimes you get too focused on specific details of the program or solving a specific problem that you forget to draw back and look at the broader picture. Achieving ISO 27001 (and renewing it) helps you keep that focus on your overall program.
It’s not just about adhering to a standard. ISO 27001 compliant companies show a certain level of maturity in their security processes as well as a willingness to audit against their processes to share with other parties, like board members and customers.
Finally, it helps a security leader be confident that they have an understanding of the risks in the supply chain. As we’re all learning, supply chain security is arguably the most important topic in the industry today and we as security leaders need to work to control our data and better understand who we share the data with. It is of course our job to protect it. On the flip side, we need to provide the same assurances to people with whom we do business. Our customers want assurances that we will protect their data and compliance certifications help to provide this assurance.