ISO 27001 - the world's most comprehensive and recognized framework for information security management systems (ISMS). It forms the core of many organizations' cybersecurity programs; ISO 27001 is considered an essential foundation for a wide range of compliance regulations. Access controls, including PAM, are widely used in the standard's requirements.
What exactly is ISO 27001?
ISO 27001 is issued by the International Standards Organization (ISO). This ISMS results in a secure infrastructure. ISO 27001 is comprehensive and covers nearly all aspects of information security. The controls cover security policy, physical security, and incident/attack response. This security framework ensures that the respective organization applies internationally recognized and best practices in the area of information security.
The goal of ISO 27001 is to continuously improve security standards. This approach is included in the planning, control and action processes that allow an organization to self-certify as ISO 27001 compliant. Alternatively, it is possible to obtain independent certification. This can be awarded by a third party after a thorough audit.
Information around the current upcoming revision of ISO 27001, as well as the published update ISO 27002:2022 can be found here.
ISO 27001 and information security compliance
The ISMS framework enables organizations to meet the requirements of various regulations such as the General Data Protection Regulation (GDPR), HIPAA (Health Insurance Portability and Accountability Act) or PCI-DSS (Payment Card Industry Data Security Standard). This is particularly important because it makes the control mechanisms of the ISMS configurable so that they comply with the respective requirements. For example, if encryption of data media is necessary for HIPAA compliance, then it helps to make this aspect mandatory in the ISMS framework.
The ISO 27001 framework helps organizations understand what they need to do to comply with a variety of regulations.
One of the requirements imposed on organizations seeking ISO 27001 certification is legal compliance. This is covered in clause A.18.1, which is entitled "Compliance with legal and contractual requirements". This section defines these controls in more detail. For example, subsection A.18.1.1 explicitly mentions that the ISMS must identify and document legal and regulatory requirements.
ISO 27001 access controls
ISO 27001 is a comprehensive framework for information security. It includes controls for security policies, asset management, cryptography, human resources and more. However, access controls play an important role. There are specific controls that address access, but critical to almost every aspect of the framework is whether or not you can control access. For example, it's impossible to effectively back up data if you can't control which person has access to the encryption software or the stored backups themselves.
Where PAM and ISO 27001 Annex A requirements intersect
PAM (Privileged Access Management) is an area of security that deals with the control and monitoring of administrative users or those with privileged accounts. This privileging gives users access to the back ends of critical systems. For example, they can configure a firewall or delete a database user account. Further, they have the ability to delete or modify data and install and uninstall software. This group includes employees, contractors or even automated applications. Since all have or would have access to sensitive information and systems, access must be regulated. ISO 27001 addresses this requirement both directly and indirectly:
- Section A.9.2.3 "Management of privileged access rights", contains a requirement to control and restrict privileged access rights
- A.9.4.4 "Use of Privileged Application Programs," adds another PAM protection measure to the ISMS that discusses the need to control utilities that can override other controls.
Several sections of the ISO 27001 framework point out that privileged user access must be carefully regulated, so the use of a PAM solution provides a solid basis for compliance with other regulations.
PAM also appears as an implementation of the technical and organizational measures in the sections
- A.6 "Organization of information security",
- A.11 "Physical and environmental safety" and
- A.15 "Supplier relationships" of ISO 27001.
Indirectly, PAM is also in the sections,
- A.5 "Information Security Policies."
- A.12 "Operational safety",
- A.16 "Information security management" and
- A.18 "Compliance with internal requirements" listed.
Each of these control areas relies on privileged users to be effective.
How a PAM solution enables the technical implementation of ISO 27001 Annex A controls
A PAM solution is considered an essential part of the technical and organizational requirements of an ISMS and protects organizations from accidental or intentional misuse of privileged access. It keeps track of all privileged users and enables ISO 27001 implementation. Through a secure, centralized and streamlined mechanism, authorization and monitoring of all relevant systems can be performed for all relevant users.
- A PAM solution grants and revokes privileges to users only for the systems for which they are authorized.
- A PAM solution eliminates the need for privileged users to have or require local/direct passwords.
- A PAM solution manages access to a large number of heterogeneous systems quickly and centralized .
- A PAM solution creates an immutable audit trail for every privileged operation and all activities in IT and OT.
PAM is an important element of the ISMS that enables organizations to track all privileged user actions within their IT infrastructure.
VISULOX as central PAM building block for ISO 27001
amitego offers VISULOX, a complete PAM solution that seamlessly complies with ISO 27001. The agentless architecture makes VISULOX easy to implement, maintain and modify. This feature allows the PAM solution to be part of the ISMS without restricting systems. VISULOX components all contribute to ISO 27001 controls and ISMS compliance:
- VISULOX Privileged Access Management - Controls access to privileged accounts and centralizes access control by creating a single point of access for all users in scope. Privileged users request access to a system through VISULOX. Access control policy definition and ISO 27001 policy enforcement are implemented here. VISULOX knows all sensitive systems to which a user has access rights. Super administrators can use it to add, change or delete privileged user accounts.
- VISULOX PassCache - Prevents privileged users from knowing the actual passwords or credentials for critical systems. This precludes manual overwrites on physical devices, a risk described in Section A.11.
- VISULOX Session Recorder - Tracks the connections and activities of privileged users, enabling real-time monitoring and recording of all user activity. Session Recording enables detailed audit and accurate incident response, both of which are essential for ISO 27001. This both creates indexed movies of activities, optionally records the entire key-stroke, and makes the movies searchable via OCR functionality.
ISO 27001 certification and auditing is a painstaking process. Each set of controls in the framework must be carefully implemented. A PAM solution can help simplify the process and provide more robust, flexible compliance. Talk to us or book yourself directly a free demo of your PAM solution.
