A brief overview of ISO / IEC 27001 and SRE mindset
What is ISO / IEC 27001?
Anyone working in the IT industry will no doubt have come across ISO / IEC 27001 by now. As an It professional who is coming from SRE/DEvOps background, I had lots of security projects to integrate auditing and security checks with infrastructure and applications of many different organisations. I wanted to give some information about it from my past experiences ands explain what is ISO 27001 and how we can bring SRE best practices and automation there.
First published in 2005 jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it has been updated several times since then. ISO / IEC 27001 is designed as an international standard to support all types of organizations in how they can best set up, implement, monitor, evaluate, maintain and improve information security.
Why is ISO 27001 important?
The standards also known as ISO 27001 (without “IEC”) are agreed internationally by security experts. Such a consensus-based standardization provides a generally understandable framework for identifying security risks that can lead to information misuse or complete data breaches. As such, ISO 27001 has become an essential formula for managing the security of an organization’s information assets, including (but not limited to) customer data, financial data, or intellectual property.
According to the ISO website, “It’s not just big companies that are threatened. The research, carried out by PricewaterhouseCoopers (PwC) on behalf of the UK Department for Business, Innovation and Skills, highlighted incidents in small businesses that were previously only seen in larger organizations, with 87% of small organizations in the last year reported a security breach “.
What are the requirements of ISO 27001 (in brief)
Compliance with ISO 27001 standards requires the design and implementation of coherent and comprehensive information security controls in order to counter any risks deemed unacceptable. In addition, it means taking overarching security measures to ensure that these controls continue to meet the needs of the organization, even as they evolve over time. Finally, it requires a regular and systematic review of information security risks within the organization, taking into account threats / vulnerabilities and potential impacts.
Some ISO 27001 challenges for IT administrators
In addition to the ongoing problems that IT administrators manage on a daily basis, the ISO 27001 standard presents the following additional challenges to be overcome:
- Certification is a multi-stage process
- It covers several areas in addition to IT
- The audits should be carried out more frequently at the beginning, then at least once a year
- The auditor decides which controls are tested
- Organizations can usually meet all the required requirements, but cannot prove them
Automation for Auditing?
Yes!! As one of the SRE best practices says, we can concentrate on automating tasks to reduce time, cost and human errors. Why not automating audits as well? As you can build it on your own and integrate it with your monitoring solution in your organization, I want to give you information about tool which i have been used before for cloud infrastructure and virtualised systems
Runcast Analyser:
It introduces the most comprehensive ISO / IEC 27001 automated compliance checklists available for VMware and AWS hybrid cloud infrastructures, as well as providing historical reports that go back a year.
In this way, the Runecast Analyzer helps IT administrators to minimize risk, lower maintenance costs and significantly reduce all costs related to unexpected events (e.g. security breaches or system failures and their inevitable effects on the company’s reputation).
I hope you like it, feel free to contact and comment if you have questions