The ISO/IEC 27000 family of standards helps organizations protect their information and assets. ISO/IEC 27001 is a security standard that outlines and provides the requirements for an information security management system (ISMS). It specifies a suite of activities, which “preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.”
ISO 27001 is divided into 14 domains:
A.5 Information Security Policies
A.6 Organization of information security
A.7 Human resources security
A.8 Asset management
A.9 Access control
A.11 Physical and environmental security
A.12 Operations security
A.13 Communications security
A.14 System acquisition, development and maintenance
A.15 Supplier relationships
A.16 Information security incident management
A.17 Information security aspects of business continuity management
Compliance in the Cloud and Key Challenges
If you are in the cloud, evaluating and assessing on ISO controls is different than for traditional data center environments. Most of the ISO 27001 controls can be categorized as being either procedural or technical controls. Procedural controls are usually policies procedures and process related. Technical controls typically relate to configuration of your cloud environment and should be implemented and assessed using cloud security tools.
Design and implementation of technical security and privacy controls in the cloud present unique challenges listed below:
1. Lack of visibility – with hundreds of security groups, projects, entities, instances and accounts across several regions, it is difficult to keep track of security policy configurations and ensure that these policies are being enforced. Companies need tools that provide security visualization, management, and enforcement of compliance and security best practices.
2. Ever changing cloud technology – existing security solutions are not designed to support dynamic cloud infrastructure that is rapidly changing.
3. Knowledge gap – one of the cloud computing challenges is lack of specific cloud security knowledge in the Devops/compliance teams. This knowledge gap makes it even more difficult to develop enterprise wide guidelines and best practices around supported by detailed technical recommendations.
4. Large amounts of data – existing security and compliance tools are focused on analyzing large volumes of data and generating text heavy reports. These tools lack the ability to visualize configuration/activity data, and cannot support real time monitoring of compliance and security requirements.
5. Remediation is a pain – complex cloud architectures make it difficult to identify known issues immediately upon discovery and perform the necessary remediation actions all from a single platform.
How Does Dome9 Help with ISO 27001:2013 Compliance?
1. Visibility into all of your Cloud Assets
A company needs to clearly define the scope of all the system components in scope for ISO 27001 certification. Dome9 provides you the visibility into cloud assets in order to comply with ISO 27001 since you cannot protect information that is not on your radar.
2. Compliance Engine
Real-time view of compliance and security posture for immediate risk mitigation
3. Governance Specification Language (GSL)
GSL allows Compliance and Security team to write and review any compliance check in seconds without deep technical knowledge – This equates to fewer errors in translating IT governance requirements to policy definitions.
4. Continuous Compliance
Continuous Compliance allows Dome9 clients to continuously run a compliance assessment according to various compliance suites and deliver findings through the most convenient method such as email, SNS notification message or PDF report.
5. Advanced Alerts Mechanism
Our Advanced Alerts Mechanism alerts you on findings that Dome9 discovers when scanning AWS Accounts, Azure Subscriptions, and GCP Projects. This mechanism allows you to maintain ISO 27001 compliance and easily trigger incident response and start your investigation if there are major issues.
Dome9 Magellan delivers enhanced threat intelligence, deep event correlation, and policy-driven intrusion detection and forensics purpose-built for the public cloud that is crucial for your compliance with threat detection and incident response requirements.
Get Started Today with Dome9 for AWS ISO 27001 Compliance
The Dome9 Compliance Engine ensures continuous compliance automation of the ISO 27001 standard across your cloud accounts, with out of box compliance bundles.
Below is the breakdown of how Dome9 can support your organization with ISO 27001:2013:
With a single click, you can automate your ISO 27001 continuous compliance assessment in real time using Dome9’s Compliance Engine and continuous compliance features.
Dome9 can help you to automate your company’s ongoing ISO 270001:2013 Certification and Compliance efforts. Our robust Compliance, Threat Intelligence, and Network Security solutions automate checks and provide tools that can help you with 50% of ISO 27001:2013 Sections. Learn more at www.dome9.com/compliance