Menu
The ISO 27001 standard has been developed for companies that would like to manage and protect their critical information assets, and give confidence to customers, consumers, shareholders, authorities, and any interested party. Identification and classification of a company assets and periodic threats and vulnerability risks assessment allows selection of the right controls and therefore an appropriate management of the risks, preserving confidentiality, integrity, and availability of valuable information assets.
Through our Software Compliance Testing service for ISO/IEC 27001, we assess and test vendors’ software solutions to ensure they support ISO/IEC 27001 requirements. After a thorough evaluation, we feature these solutions on our website.
Compliance Testing for ISO/IEC 27001 relies on credible, objective testing controls based on the intent of ISO/IEC 27001 requirements. This approach incorporates insights from Lead Auditor and Implementer perspective, and various specialists, including affected software vendors, developers, users, and industry groups, to align with organizational needs. The ISO/IEC 27001 compliance testing controls cover the following software controls categories:
Application Security: ISO/IEC 27001 tackles application security with controls focused on secure development lifecycle (A.8.25), application security requirements (A.8.26), secure coding (A.8.28), security testing during development and acceptance (A.8.29), outsourced development (A.8.30), and separation of development, test, and production environments (A.8.31). These controls aim to build security into the application development process from its inception to deployment and maintenance.
DevOps Security: ISO/IEC 27001 doesn’t directly address DevOps security. It’s important to note that while ISO/IEC 27001 provides a solid foundation for information security, it might not cover all aspects of specific methodologies like DevOps. Organizations practicing DevOps would need to consider how ISO/IEC 27001’s controls apply within their DevOps processes and if additional security measures are necessary.
ISO/IEC 27001 mandates that organizations maintain an inventory of information and other related assets (A.5.9). The standard emphasizes the need to understand the organizational context, encompassing its assets (4.1). This means identifying and documenting assets, assessing their value, and implementing suitable controls to ensure their protection.
ISO/IEC 27001 strongly recommends information security awareness, education, and training for employees (A.6.3). This encompasses training on security policies, processes, and best practices pertinent to their roles.
ISO/IEC 27001 incorporates controls for information backup (A.8.13), redundancy of information processing facilities (A.8.14), and ICT readiness for business continuity (A.5.30). These controls are in place to guarantee that essential data is backed up and that systems can be recovered in the event of an incident or disaster.
ISO/IEC 27001 necessitates internal audits at scheduled intervals. These audits are designed to verify the ISMS’s compliance with the standard and evaluate its effectiveness (9.2). Furthermore, the standard makes management reviews mandatory to gauge the ISMS’s suitability, adequacy, and effectiveness (9.3). Achieving ISO/IEC 27001 certification involves a two-stage audit conducted by an accredited certification body.
ISO/IEC 27001 lays out a comprehensive framework aimed at safeguarding the confidentiality, integrity, and availability of data. Controls pertaining to data security include information classification (A.5.12), data masking (A.8.11), data leakage prevention (A.8.12), and information transfer (A.5.14). It emphasizes a risk-focused strategy to identify and manage data security risks.
ISO/IEC 27001 addresses endpoint and device protection through controls related to user endpoint devices (A.8.1), secure authentication (A.8.5), protection against malware (A.8.7), and secure disposal or re-use of equipment (A.7.14). Furthermore, it covers physical security measures to protect equipment, encompassing controls like physical security perimeters (A.7.1), physical entry limitations (A.7.2), securing offices and facilities (A.7.3), protection against environmental threats (A.7.5), and equipment siting and protection (A.7.8).
ISO/IEC 27001 highlights identity management (A.5.16) and access control (A.5.15) as crucial elements of information security. This encompasses managing user identities, authenticating users, and granting access to information and systems based on roles and responsibilities. Specific controls include segregation of duties (A.5.3), access rights (A.5.18), and privileged access rights (A.8.2).
ISO/IEC 27001 mandates organizations to establish a plan for managing information security incidents, covering preparedness (A.5.24), event assessment and decision-making (A.5.25), incident response (A.5.26), and lessons learned from incidents (A.5.27). It stresses the importance of reporting information security events (A.6.8) and having a defined process for gathering evidence (A.5.28).
ISO/IEC 27001 makes logging activities (A.8.15) and monitoring activities (A.8.16) mandatory for tracking system and user actions and identifying any suspicious behaviour.
ISO/IEC 27001 incorporates controls for network security (A.8.20), security of network services (A.8.21), and segregation of networks (A.8.22). These controls focus around fortifying the security of an organization’s network infrastructure, encompassing elements like firewalls, intrusion detection/prevention systems, and network segmentation.
ISO/IEC 27001 deals with vulnerability management through the control focused on the management of technical vulnerabilities (A.8.8). This involves a continuous cycle of identifying, evaluating, and remediating security weaknesses found in systems and applications.
ISO/IEC 27001 is fundamentally structured around a risk-based approach, making it mandatory for organizations to establish, implement, maintain, and continuously enhance a process for information security risk assessment (8.2) and risk treatment (8.3). This necessitates identifying, analyzing, evaluating, and treating information security risks. The standard stresses the importance of comprehending the organizational context, including internal and external elements that have the potential to impact risk (4.1, 4.2). Moreover, the standard outlines the requirement for a Statement of Applicability (SOA) to systematically record the organization’s methodology for implementing controls based on the outcomes of the risk assessment (6.1.3).
While not directly addressed, several ISO/IEC 27001 controls relate to managing software and its security, which are relevant to SBOMs:
A.8 Asset Management: This control category emphasizes the importance of inventorying information assets, which would include software. An SBOM can be a valuable tool within this control to document the components of software used within an organization.
A.14 System Acquisition, Development, and Maintenance: This control category addresses security considerations throughout the software lifecycle. SBOMs support this by providing transparency into software components, aiding in vulnerability management and secure development practices.
A.15 Supplier Relationships: This section highlights the importance of managing security risks associated with suppliers. SBOMs play a role in assessing and mitigating risks related to software procured from third parties.
Despite not being explicitly mentioned, ISO/IEC 27001’s principles of least privilege (A.5.18) and segregation of duties (A.5.3), when combined with robust authentication (A.8.5) and network segmentation (A.8.22), align with the fundamental ideas behind zero trust security.
Compliance Labs has developed the compliance continuous testing process as a fundamental aspect of the ISO/IEC 27001 compliance testing controls. The continuous evaluation process will monitor new cybersecurity regulations and standards compliance requirements or frameworks best practices and update testing criteria to drive software compliance effectiveness and quality over the long term.
