ISO 27001 For Your Cloud

What is ISO 27001?

ISO 27001 is a specification for an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

According to its documentation, ISO 27001 was developed to “provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system.”

There are now 114 controls in 14 clauses and 35 control categories; the 2005 standard had 133 controls in 11 groups.

  • A.5: Information security policies (2 controls)
  • A.6: Organization of information security (7 controls)
  • A.7: Human resource security – (6 controls)
  • A.8: Asset management (10 controls)
  • A.9: Access control (14 controls)
  • A.10: Cryptography (2 controls)
  • A.11: Physical and environmental security (15 controls)
  • A.12: Operations security (14 controls)
  • A.13: Communications security (7 controls)
  • A.14: System acquisition, development and maintenance (13 controls)
  • A.15: Supplier relationships (5 controls)
  • A.16: Information security incident management (7 controls)
  • A.17: Information security aspects of business continuity management (4 controls)
  • A.18: Compliance (8 controls)

Who Does It Apply To?

Any company that has sensitive information can find ISO 27001 useful.

Scope of Regulation

ISO 27001 compliance scope is all encompassing. It provides the methodology for companies to find, understand risks and then define procedures in order to prevent such incidents from happening.

Core Requirements

With the introduction of cloud, complying with ISO 27001 is becoming more complex, placing an additional burden on work force and budget.

CloudOptics ensures that technical controls are in place to facilitate ISO 27001 compliance including AWS ISO 27001, Azure ISO 27001 and GCP ISO 27001 and also establishes proper implementation of user controls.

  • Organization of Information Security

    Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

  • Asset Management

    Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained.

  • Access Control

    Password management systems shall be interactive and shall ensure quality passwords.

  • Cryptography

    A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle.

CloudOptics Compliance Controls Monitoring

CloudOptics facilitates rapid assessment of compliance through a cost-effective and timely approach where platform, procedures and people are tightly integrated with IT infrastructure, network and security operations. It provides an intelligent mapping of required cybersecurity controls to the IT configurations that enable the controls to be implemented as well as expert integration of these controls into IT security operations, platform and processes.

Data Security

Data protection in transit & at rest. Monitor mechanism to encrypt and decrypt protected information.

Identities, credentials & remote access are managed for authorized devices and users.

Access permissions are managed, incorporating the principles of least privilege and separation of duties

Continuous visibility and monitoring of all infrastructure configurations with actionable insights.

Want to see CloudOptics in action?