Compliance. It’s a word that can send chills down anyone’s spine, especially that of an IT admin. The International Organization of Standardization/International Electrotechnical Commision (ISO/IEC) 27001 is the holy grail when it comes to IT compliance audits. The standard describes an information security management system (ISMS), a powerful method for preventing a data breach. Given the prevalence of data breaches these days, achieving ISO/IEC 27001 certification is paramount. Let’s explore some techniques that will improve your organization’s chances of doing so.

What is an ISMS?

As previously stated, the ISO/IEC 27001 standard describes the creation of an ISMS. But, when you boil down to it, what does an ISMS really entail? Well, according to ISO, an ISMS is “a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes, and IT systems by applying a risk management process.” While many organizations have various information security plans, tools, and protocols, an ISMS provides one coalesced resource that connects these security controls together.

A key facet of any ISMS is its abilities regarding identity and access management (IAM). In a time when data breaches are rampant in the news, keeping secure user identities is critical. Ensuring that the right people are using the right tools and seeing the right information is foundational in ISO/IEC 27001 compliance. IT organizations can leverage a strong directory service to create a secure database of user identities and control the resources those identities can access.

A proper ISMS should not only handle operations such as IAM, but should also be backed by strong security practices, as well. One newer concept that can be handy when thinking about compliance is a zero trust security model, meaning that all things, from resources and assets to processes and people, are potential security threats and should be monitored. Or said another way, IT admins need to make sure that every person or systems talking to your infrastructure has been validated positively. This is, at its core, identity and access management.

Of course, with compliance you’ll need to prove that only the right (Read more…)