Arrow down
arrow down
Arrow down
Arrow down
Arrow down
Whitepaper

ISO 27000 Compliance

Taking advantage of Forward Networks to monitor for Annex A controls
ISO 27001 provides a framework for organizations to establish, implement, maintain, and continually improve an ISMS (Information Security Management System). It adopts a risk-based approach to information security, focusing on preserving the confidentiality, integrity, and availability of information assets. The standard is designed to be flexible and applicable to organizations of all sizes and sectors.
The applicability of ISO 27001 extends beyond mere compliance. Organizations that implement the standard often experience improved operational efficiency, enhanced risk management capabilities, and increased stakeholder confidence. The standard’s emphasis on continuous improvement encourages organizations to adapt their security measures to evolving threats and technological advancements.
Controls described in the framework are classified as Preventative, Detective, and Corrective. Organizations use a variety of tooling to systematize and analyze their Information Systems and organizational practices for governance and compliance with the ISO 27000 framework. Forward Enterprise users are able to streamline control compliance for all the controls related to their network equipment, along with the 13 controls related to asset reachability and segregation.
With the release of the standard update in October 2022, the clock has started for all organizations to re-certify to the updated standard. All the new ISO certifications obtained or renewed after May 1st this year must update controls to comply with ISO 27001:2022. These time-sensitive changes in controls and reporting structure challenge complex, distributed organizations to update their processes and find tools to improve visibility. Forward Enterprise’s digital twin platform can smooth the process for enterprises transitioning from the 2013 version and help those just obtaining the certification for the first time.
ISO 27000 Compliance Chart
This paper helps the user navigate the complexities of ISO 27000 and achieve and maintain compliance with the help of Forward Networks’ platform.

Background

ISO 27001 is an international standard for ISMS that has gained significant traction in the financial industry and among international corporations since its introduction in 2005. The standard evolved from the British Standard BS 7799, which was first published in 1995 and later revised in 1998 and 2002.
In the financial industry, ISO 27001 has become particularly relevant due to the sector’s heavy reliance on information technology and the critical nature of the data it handles. Banks, insurance companies, and other financial institutions have embraced the standard to demonstrate their commitment to protecting sensitive financial information and maintaining customer trust. Compliance with ISO 27001 can help these organizations meet regulatory requirements, such as those imposed by the Sarbanes-Oxley Act in the United States or the General Data Protection Regulation (GDPR) in the European Union. However, achieving and maintaining this compliance in large, distributed environments proves challenging due to the organizational and information systems’ complexity.
For international corporations, ISO 27001 offers a globally recognized framework for managing information security risks across diverse geographical locations and business units. The standard’s process-based approach allows multinational companies to implement consistent security practices throughout their operations, regardless of local variations in technology or regulatory environments.
Key components of ISO 27001 implementation include:
  1. Defining the scope of the ISMS and identifying the assets
  2. Conducting a risk assessment
  3. Implementing security controls
  4. Developing policies and training staff
  5. Monitoring the effectiveness of the ISMS
  6. Conducting internal audits and management reviews

In 2022, a new version of ISO 27000 was published, updating the earlier 2013 version of the standard. For the organizations that were previously certified as ISO 27000-compliant, this means having to update their processes to demonstrate their alignment with the new controls. For enterprises just starting the process, the new version of the standard clarifies the risk focus of the framework and helps organize the compliance motion. The key changes introduced in the 2022 version align with evolving information security challenges and practices. Here are the main differences:

  1. ISO 27001:2013 had 114 controls organized into 14 domains (Annex A).
  2. ISO 27001:2022 has consolidated these into 93 controls organized into 4 main clauses in Annex A: 5. Organizational controls 6. People controls 7. Physical controls 8. Technological controls
  3. ISO 27001:2022 introduces some new terms and controls to reflect current information security practices. New controls include:
    1. Threat intelligence
    2. Information security for use of cloud services
    3. ICT readiness for business continuity
    4. Physical security monitoring
    5. Configuration management
    6. Information deletion
    7. Data masking
    8. Data leakage prevention

Risk assessment

Similar to the earlier revision, ISO 27000:2022 maintains the emphasis on a risk-based approach to Information Systems security.
Considering varying regulatory requirements, cultural differences, and location-specific risks, many diverse teams need to collaborate to continuously assess risk and reference the same source of truth.
Connected infrastructure undergoes on-going changes, so organizations need tools to overcome visibility challenges and continuously monitor asset inventory, identify threat vectors, evaluate the likelihood of attack, analyze the possible impact, and verify the effectiveness of compensating controls.
Asset inventory, monitoring exposure to untrusted zones to evaluate the likelihood of an attack, network equipment vulnerabilities, and the effectiveness of compensating controls, such as firewalls and encryptors, are all tasks that are operationalized by Forward Networks’ in-depth analysis of connected information systems.

Network security controls

Evaluating and implementing network security controls is essential for achieving ISO 27001 compliance, particularly during risk assessments. Annex A of the framework offers a comprehensive set of security controls, with section A.8 focusing on “Technological Controls.” This section ensures the protection of information in networks and their supporting information processing facilities. Out of the thirty-four technical controls in section A.8, seventeen directly relate to network architecture and security. Below are some of the network security management controls included in Annex A.

A.8.20 Network security

This control requires organizations to manage and control networks to protect information in systems and applications. Implementation of this control challenges security teams to implement and verify processes that are ultimately implemented by many network operation teams across the enterprise. It involves implementing measures such as:
  • Establishing responsibilities and procedures for network management
  • Separating operational responsibility from computer operations
  • Implementing controls to ensure the security of data passing over public or wireless networks
  • Applying appropriate logging and monitoring

A.8.21 Security of network services

This control identifies and includes security features, service levels, and management requirements for all network services in network service agreements. This applies to both in-house and outsourced services. The challenges with the implementation of this control lie in establishing the inventory of network services and their business context. Key aspects include:
  • Defining technology for connecting to network services securely
  • Procedures for network services’ usage
  • Restrictions on network service usage where necessary

A.8.22 Segregation in networks

This control is about the segregation of information services, users, and information systems on networks. Network isolation is always in conflict with the ease of operations, which makes access control architecture challenging. Furthermore, monitoring ongoing segregation while information systems change dynamically proves especially difficult. Specific tasks include:
  • Separate groups of information services, users, and information systems
  • Define and implement rules for traffic flow on networks
  • Implement network segregation based on the value and classification of information stored or processed
  • Maintain segregation of wireless networks from internal networks

A.8.28 Secure system architecture and engineering principles

This control ensures that information security is designed and
implemented within the development lifecycle of information
systems, requiring DevSecOps principles to be instilled at the time
of application system development.

  • Security by design: Incorporating security measures from the
    earliest stages of system development
    Defense in depth: Implementing multiple layers of security
    controls
    Least privilege: Granting users only the minimum necessary
    access rights
    Separation of duties: Dividing critical functions among different
    individuals

These controls collectively aim to ensure that networks and the
information they carry are adequately protected against threats,
unauthorized access, and potential breaches. They emphasize the
importance of comprehensive network management, clear policies
and procedures, appropriate segregation, and secure information
transfer practices.

Implementing these controls helps organizations maintain the
confidentiality, integrity, and availability of their network-based
information assets, which is crucial in today’s interconnected
business environment.

Developing Policies

Following the principles of good governance and ISO framework requirements, corporations and internationals typically develop and implement organizational and technological policies for their connected infrastructure.

The higher level policy areas would include topics like:

  • Up-to-date physical and logical asset inventory
    • Maintain a list of applications, services, and devices, including their locations and owners; version-controlled LAN and WAN network diagrams and firmware/configuration files for critical network equipment; all network-connected equipment is visible, authenticated, and manageable by ICT personnel.
  • Comprehensive network security
    • Implement a holistic approach to network security, including sub-network isolation, device visibility, firmware record maintenance, traffic filtering, protocol management, and network information categorization.
  • Access controls
    • Require authentication for all users, systems, and applications before operation on the network; implement the least privilege principle.
  • Data security
    • Implement comprehensive data classification, traffic filtering, secure data storage and transfer across all networks, including third-party networks, and maintain proper functionality of all connected applications.

Monitoring information systems

Information systems in a large organization continuously evolve. Continuous, comprehensive monitoring of all activities affecting information security across the network and its components is essential to maintaining compliance.

Aspects of monitoring include change management, security monitoring, performance monitoring, availability monitoring, and vulnerability scanning.

Corrective activities that result from monitoring may include security incident response, capacity management, and procedures to suspend or deactivate compromised or unreliable assets.

In addition to monitoring, enterprises implement reporting on the frequency and severity of issues as well as metrics of corrective activities, such as mean time to remediate (MTTR).

To maintain policy compliance and manage risk, corporations implement change control and continuous monitoring. Here’s a description of a typical process:

Audit and Management Review

Internal audit and management reviews are an important part of the ISO 27001 compliance process. They are conducted at planned intervals, typically quarterly or bi-annually, with network security being a key agenda item.

Common aspects of the audit include compliance with corporate policies and ISO 27001 requirements, such as assessing the implementation of network security and organizational controls, verification of compliance with internal policies and external regulations, and testing the effectiveness of network monitoring and incident response processes.

The results of internal audits together with critical IS changes form the basis of the periodic management reviews. The review process places significant emphasis on risk assessment and budgetary implications. Management evaluates how effectively current network security measures are mitigating identified risks and whether new or emerging threats require additional controls or resources. They also consider the financial impact of proposed security enhancements, weighing the potential costs of implementation against the risks of inaction.

The outcomes of these management reviews may drive investing in new security technologies, expanding the security team, or enhancing training programs. The review process also often leads to updates in network security policies and procedures, ensuring they remain relevant and effective in the face of evolving threats.

Throughout this process, management maintains a focus on continuous improvement, using the insights gained from monitoring, audits, and reviews to refine and strengthen the security posture over time. This iterative approach ensures that risk management aligned with the organization’s business objectives remains at the forefront of decision-making, highlighting the need for tooling that can be a part of the ongoing detection and correction process.

Conclusion

A comprehensive information security approach offered by ISO 27001 helps organizations maintain a robust network security posture and ensure continuous improvements. Compliance requires that:

  1. The process adapts to changes in the threat landscape and technological advancements.
  2. There’s a clear linkage between network security activities and the overall objectives of the ISMS.
  3. Both on-premises and cloud infrastructure are treated with equal importance in terms of security management.
  4. All activities are recorded.

The standard’s adaptability and focus on risk management make it a valuable tool for organizations seeking to protect their information assets in an increasingly complex digital landscape. ISO 27001 compliance certification can serve as a competitive advantage, particularly in financial, manufacturing, healthcare, and retail industries where information security is a critical concern.

As cyber threats continue to evolve and data protection regulations become more stringent, the relevance of ISO 27001 is likely to grow.

Top cross