ISO/IEC 27001 helps organizations prove that they have implemented best practices in their security and data protection programs. Although an ISO 27001 certification is not mandatory, working towards it can help you get ready to meet data governance requirements for your customers, partners, employees, and similar acts, laws, regulations, and standards. Most of these requirements share a common goal: the protection of information and assets.
The Microsoft 365 security center enables organizations to reduce security risks by providing them with the tools necessary to assess their current and historical security postures and to determine the appropriate set of actions to take to mitigate future risks. These tools consist of rich dashboards, reports, and interactive experiences like Microsoft Secure Score, each of which is designed to provide security administrators with the visibility, controls, and guidance they need to drive maximum security posture improvements.
ISO 27001 Standard Controls
ISO 27001:2013 details the requirements for an Information Security Management System, which is designed to help organizations implement a systematic and risk-based approach to ensure that information and systems are available to people who should have access and protected from people who shouldn’t. A fundamental part of this program is the implementation and standardization of risk assessments. Ideally, risk assessments should be part of Privacy and Security by Design or part of project management under ISO 27001 Annex 6.1.5 which reads, “Information Security shall be addressed in project management regardless of the type of the project.”
First, you should start and agree upon your risk assessment methodology. Tailor the rules of how to perform the risk management assessment and follow a standard that you can replicate across your organization (especially if you have a global presence). Don’t forget to define what your risk scoring mechanism (severity vs likelihood) and risk level threshold are.
Once you have defined the methodology, the next step is to apply it across all the assets your organization has. This is tricky as it also requires you to have an Asset Inventory in advance as ISO 27001 mandates in Annex A.8.1.1. In most cases, organizations may not know or fully understand the risks associated with each of the ISO controls. Some questions to help get you audit-ready are:
Is there an asset owner assigned to each asset?
Who maintains the asset inventory?
Is the asset inventory regularly reviewed?
What is the asset’s retention period?
What is the asset’s classification?
How often is the asset/information backed up?
With the Compliance Manager integration, Microsoft 365 compliance center provides you with visibility into your compliance posture against key regulations and standards like the GDPR, ISO 27001, NIST 800-53, and more on the homepage. You can then perform risk assessments, as we described above, to enhance your compliance and privacy controls.
If you’ve done the first two steps, by now you should’ve identified the gaps between the business expectations and actual situation of your information assets. Now it’s time to start planning your risk treatment/corrective and preventative action controls.
Applying security controls is one of your options to mitigate or minimize the risks, but you also have the option to:
Transfer the risk to another party
Avoid the risk by disabling the process or activity which is too risky (although the business may not be very happy about this)
Accept the risk, which makes sense if the cost and effect of mitigating the risk is higher than the actual potential loss or damage. With the recent changes in data breach penalties such as the GDPR (up to 4% of global revenue or up to 20Mil euros), however, accepting the risk can be quite a questionable decision.
Annex 8.2.1 from ISO 27001 states that “Information shall be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”
The Microsoft 365 compliance center is a specialized workspace for compliance, privacy, and risk management professionals.
Many organizations have data classification policies that are theoretical rather than operational. In other words, there is a corporate policy that is unenforced or left to the “business users/data owners” to implement. To help you label data more accurately, the Microsoft 365 Label Analytics preview can enable you to analyze and validate how sensitivity and retention labels are being used beyond your Office 365 workloads.
However, the biggest challenge with information or data classification is finding the easiest, most efficient, and accurate way to achieve this goal. Positioning this task to employees can sometimes be both time-consuming and imprecise. The challenge presented by a business user-driven “trust” system is that it’s difficult to predict the appropriateness and level of data being properly tagged.
Are inappropriate discussions happening? Is sensitive or confidential information being shared? Are privacy and compliance policies being circumvented, either deliberately or inadvertently? Who do you trust: user or machine?
In addition, not every employee is familiar with how to appropriately classify data. Data changes frequently, and it’s often hard to solely rely on untrained personnel to make sure classification is done according to your company information classification policy. It’s not that you shouldn’t trust your employees, but it’s better to monitor and control how information is used throughout the organization.
Unintentional employee action is the most common cause of data breaches worldwide. In order to protect your assets, organizations need to classify what you have and, based on the value, apply appropriate security controls. Not everything needs to be protected, but understanding what information you have, where is it, who has access, who it’s shared with, what the retention period is, etc. is all part of a best practices data governance process.
AvePoint itself received ISO 27001 certification and has been able to meet many of the ISO 27001 requirements using our own Enterprise Risk Management (ERM) solution. We’ve been able to do things like:
Automatically apply data classification to data at rest and any newly-created document based on sensitivity, document/information type and retention period
Identify non-conformities in the Incident Management Center
Automate third-party vendor risk assessments
Evaluate security into contracts using Impact Assessments
Scan results to provide insight into your greatest areas of vulnerability. Scan your content against internal or external regulations to identify privacy or security issues in files, file properties, or even attributes like headers and footers. Begin to tag and classify your data so you can more easily find, and react to at-risk or sensitive data.
If you’re just beginning your ISO 27001 certification journey or are performing your periodic ISO 27001 review and need a centralized solution to help you with automating some of the ISO requirements, consider AvePoint’s compliance solutions and feel free to contact us for more information. And for a bit more on Policies and Insights, check out the video below:
Dana Louise Simberkoff is the Chief Risk, Privacy and Information Security Officer at AvePoint. She is responsible for AvePoint’s privacy, data protection, and security programs. She manages a global team of subject matter experts that provide executive level consulting, research, and analytical support on current and upcoming industry trends, technology, standards, best practices, concepts, and solutions for risk management and compliance. Ms. Simberkoff is responsible for maintaining relationships with executive management and multiple constituencies both internal and external to the corporation, providing guidance on product direction, technology enhancements, customer challenges, and market opportunities.
Ms. Simberkoff has led speaking sessions at data privacy and security events around the globe. She was featured in Forbes, writes a monthly column for CMSWire, and was highlighted in the CSO Online list of “12 Amazing Women in Security”. She is a current member of the Women Leading Privacy Advisory Board and a past member of the Education Advisory Board for the International Association of Privacy Professionals (IAPP). Ms. Simberkoff holds a BA from Dartmouth College and a JD from Suffolk University Law School.
LinkedIn: www.linkedin.com/in/danalouisesimberkoff/en
Twitter: http://www.twitter.com/danalouise