[Latest Case Study] tiket.com & Its Compliance Journey To ISO 27001 and PCI-DSS Certification
logo
Compliance

Ensuring Continuous Cloud Compliance with ISO 27001

Continuous compliance isn’t just ticking all checkboxes on a list. It’s a conscious building of a business culture that continuously monitors compliance posture. What are the sections that apply to the cloud?

What Is Cloud Compliance?

Cloud Compliance is getting your cloud workloads to be compliant with the various laws and regulations that govern your business. The fact that people aren’t as familiar with cloud workloads compared to on-premise workloads, can make cloud compliance trickier to implement.

What Is Continuous Cloud Compliance?

Continuous cloud compliance means constantly monitoring your cloud compliance posture, as opposed to only watching over it when audit season is approaching. It also means ensuring due diligence is completed early in the compliance assessment process in order to easily mitigate security risks and avoid the huge costs associated with non-compliance.

Why Care About Continuous Compliance?

Why would an organization choose to adopt a continuous compliance strategy?

For these reasons, organizations need to use a framework that can work across organizations of various sizes and industries. The gold standard of security frameworks is International Standard for Standardization (ISO) 27001.

About ISO 27001

International Standard for Standardization (ISO) 27001 (formally known as ISO/IEC 27001:2005) is one of the most well-known and widely-used security standards today. It’s a comprehensive security framework used for laying the groundwork for establishing effective security policies and controls in your organizations.

ISO 27001 was established jointly by ISO and the International Electrotechnical Commission (IEC). Both organizations come together to assess, create, and maintain the standard in line with the best practices each time the standards are revised.

At the core of ISO 27001 is continuous monitoring and improvement. Organizations can choose to follow the Plan-Do-Check-Act (PDCA) process, which recommends that every change requires a plan, and organizations should test first before adopting it at full scale. Above all, every organization needs to continuously improve its Information Security Management System (ISMS).

Organizations of all industries and sizes can get certified with the help of an independent ISO 27001-certified auditor. Some of the benefits of certification include:

  • Better reputation: As ISO 27001 is recognized across many industries, being certified means your security policies and processes are in good shape.
  • Cost savings: Getting certified makes it easier for your organization to pass other compliance standards and reduces the red tape your organization may encounter with proving that your security is sound.
  • Trust building: Being certified establishes trust between you, your partners, and customers you may work with.

ISO 27001 and the Cloud

Migrating to the cloud is a shared responsibility between the customer and the cloud service provider (CSP). CSPs like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft’s Azure Cloud are all ISO 27001-certified on the aspects they’re responsible for such as the data center and network infrastructure.

The CSP’s certification, however, does not make your organization certified by association. As the customer of these CSPs, it’s your responsibility to ensure that the data and workloads in the cloud are secure and in compliance with ISO 27001.

What is Annex A?

ISO 27001 takes a risk-based approach to compliance. This requires your organization to identify the biggest risks and identify the most relevant controls that need to be adhered to.

Annex A of ISO 27001 contains the list of all the control objectives and controls themselves. This list contains 114 controls and are further divided into 14 separate sections.

Section 5: Information security policies

This section governs written security controls and policies. Within the context of the cloud, it refers to any and all security policies an organization has that are related to the appropriate use of your organization’s cloud infrastructure. Policies must be written out, approved by management, and reviewed regularly.

Section 6: Organization of information security

Section 6 is a people-centric section where it states that various responsibilities for security-related matters need to be clearly laid out and assigned to a point of contact. These duties also require separation of duties to prevent potential conflicts of interest.

In addition, your organization should also have points of contact with external authorities like law enforcement or the relevant Cloud Service Providers (CSPs).

For mobile device usage and teleworking, your organization needs to conduct appropriate risk assessments and make informed decisions and policies that mitigate potential threats that can arise from these flexible work arrangements.

Section 7: Human resource security

This is another people-focused section of the policy which details the responsibilities of human resources and managers when it comes to ensuring that employees are made aware of information security policies. It also states that your organization needs to ensure both employee on-boarding and off-boarding processes comply with security best practices.

Section 8: Asset management

Section 8 deals with how to manage, classify, and dispose of your assets. An asset in the security context is anything that’s valuable to your organization in any way. 

One way to take stock of your assets in the cloud is through a configuration management service like AWS Config, GCP’s Cloud Asset Inventory, and Azure’s Policy service. All of these services serve as an inventory for all your cloud assets.

Section 9: Access control

Section 9 covers controls surrounding access control policies and controls. You can ensure proper access control in the cloud with the right policies through identity and access management services like AWS’s Identity and Access Management (IAM), Google’s Cloud IAM, and Microsoft’s Azure IAM.

Good access control policies operate on the principle of least privilege or only giving users the minimum amount of permissions needed to do their jobs.

Section 10: Cryptography

Section 10 states that organizations need to have a policy in place for encryption and key management. 

The bigger your organization, the more challenging it is for organizations to manage their keys in the cloud. Proper key management and choice of encryption standards ensures that its assets are well-protected against insider threats, which account for as much as 73% of security breaches.

All the major CSPs have their own implementation of a key management system (KMS) like AWS’s KMS, Microsoft’s Azure KMS, and Google’s Cloud KMS.

Section 11: Physical and environmental security

Section 11 concerns more on making sure assets are secured from physical unauthorized access. It also covers protection against natural disasters like floods, fires, and earthquakes. 

Under the shared responsibility model, the cloud service providers take charge of this end of the compliance process as this pertains to security of the cloud

Section 12: Operations security

Operations security deals with how to ensure organizations can remain secure during day-to-day operations. Within the context of the cloud, this can be done through the following means:

Section 13: Communications security

Communications security revolves around securing your networks. Within cloud infrastructure, this means one or more of the following ways:

  • Segregating your cloud networks
  • Enforcing perimeter controls like security groups and network access controls
  • Enforcing encryption in transit
  • Creating rules and guidelines for remote work and bring-your-own-device (BYOD) settings.

Section 14: System acquisition, development, and maintenance

Section 14 ensures that information security is an integral part of your organization. All security procedures need to be documented and properly communicated to all stakeholders within your organization.

This needs to be done early on as this would be the foundation for other cybersecurity measures that will be put in place. 

The best way to integrate security into the cloud is through making use of well-architected frameworks. These contain a set of best practices that bring the best balance between security, performance, and cost.

AWS, GCP, and Microsoft Azure all have their own frameworks in place. Make sure to read the appropriate frameworks for your workloads and keep these best practices in mind while designing and architecting them.

Section 15: Supplier relationships

Section 15 concerns having policies regarding external parties’ access to company information. Using the principle of least privilege, only give access to the minimum amount of information these external parties need to effectively deliver their services.

It also states that there needs to be a process in place to monitor all activities the suppliers execute within company infrastructure.

Section 16: Information security incident management

In case of any security breach or incident, your organization should have a process in place to respond to the incident and properly collect forensic evidence in case an investigation with law enforcement or other governing body is needed. 

A good incident management and response plan consists of 7 phases:

  • Preparation happens before an incident even happens through proper logging and monitoring, documentation, and assignment of responsibilities.
  • Identification is the point in time your organization identifies an incident. This could be through metric alarms or someone reporting an incident. For cloud incidents, this would also involve opening a support ticket with the appropriate support group to validate the incident.
  • Containment details steps to stop an incident from causing further damage. This can be done through restrictive security groups that block off further access to affected resources.
  • Investigation is where your organization finds out how the incident happened and who is involved.
  • Eradication when applicable, involves removing all traces of malicious activity.
  • Recovery focuses on restoring to normal operations.
  • Lessons Learned is when your organization talks about what went right, what went wrong, and how to make sure it does not happen again.

Section 17: Information security aspects of business continuity management

Section 17 revolves around having and executing a business continuity plan (BCP) in case of any unforeseen disruptions to normal operations

Part of this BCP involves cloud infrastructure redundancy, which can be done through leveraging multi-availability zone deployments and even having an entire infrastructure in another region.

Section 18: Compliance

The final section deals with identifying and documenting the various laws and regulations your organization is subject to. This would depend on the following factors:

  • The location your organization operates in
  • Where the customers they serve are located
  • What industry your organization belongs in
  • Any requirements customers and partners may have in terms of compliance

It also emphasizes the need for your organization to subject yourself to an audit from an independent auditor to make sure you’re on top of your compliance policies.

Continuous Compliance is the Key

Continuous compliance isn’t just ticking all checkboxes on a list. It’s a conscious building of a business culture that continuously monitors compliance posture instead of only doing so because of an audit or, worse, a security breach.

While getting compliant with ISO 27001 is the gold standard, it should not just be a one-off effort. You need to continuously monitor your assets to ensure they’re compliant with various standards your organization is subject to.

If your organization is on AWS, you can now check if your AWS resources are properly configured and compliant with a free 14-day Horangi Warden trial. Warden helps you continually manage your compliance risks for ISO 27001 and other compliance and best practice standards such as the Payment Card Industry Data Security Standard (PCI DSS), the Monetary Authority of Singapore's Technology Risk Management (MAS-TRM) guidelines, the Bank Negara Malaysia - Risk Management in Technology (BNM-RMiT) framework, and AWS Well-Architected Framework (WAF).

Samantha Cruz
Samantha Cruz

Samantha Cruz is a Cyber Operations Researcher at Horangi specializing in cyber research and security tool development. Before joining Horangi, she has worked for Trend Micro as a security analyst and engineer.

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.