Aseem Rastogi

Complying with ISO27001 while on AWS

Blog Post created by Aseem Rastogi on Nov 8, 2018

Information security is vital. However, as an aspect of corporate management, the aim must be to provide optimum support for business objectives. A well-structured Information Security Management System (ISMS) designed in accordance with international standards provides an ideal foundation for efficient, effective implementation of a comprehensive security strategy, particularly in an era where cyber threats and cyber security are prevalent issues.

 

 

One of the ways that companies can better manage risks and shield themselves from cyber-attacks is by implementing an ISMS in accordance with the international information security standard ISO 27001. 

 

ISO 27001 is a universal information risk management standard designed to guide the selection of adequate and proportionate controls to protect information. ISO 27001 was brought to existence to leverage a better model that establishes, implements, operates, monitors, reviews, maintains and finally improves an ISMS.

ISO 27001 Security Domains, Controls Objectives and Controls

 

ISO 27001 covers a wide variety of security elements including key areas such as company security policy, asset management, physical and environmental security, access control etc.

 

For example, the security domain Asset Management should have the following controls:

  • All assets shall be clearly identified and an inventory of all the important assets drawn up and maintained
  • Rules for the acceptable use of information and assets associated with information processing facilities shall be identified, documented, and implemented
  • An appropriate set of procedures for information labelling and handling shall be developed and implemented in accordance with the classification scheme adopted by the organization

 

For each of these 14 security domains, ISO 27001 consists of 114 specific controls organized around 35 control objectives to ensure the selection of adequate and proportionate security controls to protect the information assets.

 

ISO 27001 implementation is a complex task involving various activities, lots of people, lasting several months. As more and more enterprises are increasingly turning to cloud service providers like AWS to offload their IT infrastructure and computing needs, implementation of ISO 27001 brings in more challenges due to the shared responsibility model of a cloud environment.

 

ISO 27001 in a Shared Security Model such as AWS

 

Security and compliance are a shared responsibility between AWS and its customers. AWS ensures security of the cloud by managing and controlling the host operating system, the virtualization layer, and the physical security of its facilities. Customers should take care of security in the cloud by configuring and managing the security controls for the guest operating system and other applications (including updates and security patches), as well as for the security group firewall and for encrypting data in-transit and at-rest. So, AWS is responsible for security in the infrastructure and virtualization layers and the customers are responsible for the security of the application layer and also the actual customer data.

 

Attention to Controls and Mapping of Compliance

 

ISO 27001 Implementation in a shared security model brings new challenges. AWS fulfills the control requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services.

 

Though AWS provides advanced Identity and Access Management services (IAM) to give customers granular control over user permissions and provisioning, the customers, however are also responsible for mapping appropriate access control policies using AWS IAM, AWS KMS, Configuring AWS Security Groups (firewall) to prevent inappropriate access to ports. Here are some examples that shows the customers share of work for a few AWS entities.

 

Staying Compliant All the Time

 

Information security involves an ever-evolving set of practices as the organizations must stay one step ahead of cyber criminals. The best way to do that is to continuously assess compliance posture and conform to information security policies and standards as well as relevant laws and regulations.

CloudOptics Unlocks Compliance Complexity

 

CloudOptics helps customers in rapid assessment of compliance through a cost-effective and timely approach where the tools, procedures and people are tightly integrated with IT infrastructure, network and security operations.

CloudOptics makes the execution and monitoring of compliance easy for the customers. It provides an intelligent mapping of required cybersecurity controls to the IT configurations that enable the control to be implemented as well as expert integration of these controls into IT security operations, tools and processes. Moreover, the ground-breaking continuous compliance monitoring platform developed by CloudOptics helps you provide assurance to business stakeholders.

Outcomes