Automated ISO Compliance Management
ISO/IEC 27001 specifies requirements for the establishment, implementation, monitoring and review, maintenance and improvement of a management system - an overall management and control framework - for managing an organization's information security risks.
Corporate management is a delicate affair. One slip could result in debilitating financial losses, and stiff penalties, loss of investor confidence and brand-image consequences! Managing ISO 27K Compliance requires integrated and comprehensive approach that combines process, people, and technology. Managing ISO 27K Compliance requires automated monitoring for conformance and gaps, and initiating remediation actions for meeting IT Compliance requirements. Automated processes makes it easy, certain, fast, and available when required, leaving business enterprises – large, medium or small, to focus on their core business, competition, and strategies at an extremely affordable price through SecureGRC from eGestalt Technologies.
SecureGRC ensures that the standard could easily be implemented in all types of organizations (e.g. commercial enterprises, government agencies and non-profit organizations) and all sizes from micro-businesses to huge multinationals.
ISO/IEC 27001 "is intended to be suitable for several different types of use, including:
- Use within organizations to formulate security requirements and objectives;
- Use within organizations as a way to ensure that security risks are cost-effectively managed;
- Use within organizations to ensure compliance with laws and regulations;
- Use within an organization as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met;
- The definition of new information security management processes;
- Identification and clarification of existing information security management processes;
- Use by the management of organizations to determine the status of information security management activities;
- Use by the internal and external auditors of organizations to demonstrate the information security policies, directives and standards adopted by an organization and determine the degree of compliance with those policies, directives and standards;
- Use by organizations to provide relevant information about information security policies, directives, standards and procedures to trading partners and other organizations that they interact with for operational or commercial reasons;
- Implementation of a business enabling information security; and
- Use by organizations to provide relevant information about information security to customers."
Information security management system (ISMS), the core of the standard is based on the Plan-Do-Check-Act cycle where 'planning' involves defining requirements, assess risks, decide on the applicable controls, 'doing' implies implementing and operating the ISMS, 'Checking' provides for monitoring and reviewing ISMS, and 'Acting' involves maintaining and continuously improving the ISMS. It also specifies certain specific documents that are required and must be controlled and states that records must be generated and controlled to prove the operation of the ISMS.
The diagram below (taken from the ISO27k Toolkit) shows at what stages of the typical (ISO 27002/27001) implementation process most of the required documents are normally produced:
Compliance to ISO 27K (27001 and 27002) requires conformance the entire taxonomy of Information security such as:
Establishing leadership and high level objectives, audits & risk management, product design & development, acquisition of technology, operational management, Human resource management, records management, technical security, physical security, systems continuity, monitoring and reporting, privacy, configuration management, all within a framework of policies, standards, plans, procedures and checklists.
The software platform provides certain key functions that help the overall process, such as:
Decrease the time to get and stay compliant thus reducing costs associated with the compliance processes- Cloud based "pay –as – you –grow" delivery option - Provides 'Software as a Service' (SaaS) model with on-premises deployment or a completely on-demand cloud based service, requiring very low initial investment with high returns; also ideal for small and medium businesses
- Centralized dashboard view of the compliance status drilling down across departments, geographies, etc; generation of reports to demonstrate compliance for any regulatory or standard based audits
- Provide for Workflow, Document Management, Controls Inventory, Compliance Scanner, and fine-grained access control through a secure Web based interface
- Compliance Scanner scans and integrates compliance related information from various multiple sources and matches them against "Compliance Signatures".
- Manage exceptions and activities related to compliance; provide reminders to people for addressing compliance related tasks in an optimal manner
- Provide an exhaustive audit trail for all compliance related actions in the whole process
Compliance manager specifications
 |
 Exclusive customer instance of SecureGRC:Each customer on the cloud will have an exclusive instance of the application running ensuring complete security of client data |
 |
 Single and centralized repository for all compliance related data: Supports storing all relevant documents, evidences, processesrelated to compliance in one place with access to itfrom anywhere and at anytime; organize documents in a hierarchy –whether by geography or department or regulation. |
 |
Display questionnaires to evaluate manual controls: In-built questionnaire generator for use predefined or customized questionnaires. Supports email notifications setup on a schedule to collect information from people. |
 |
Dashboard and reports: Predefined or customized graphs creation facility by the user. The charts have the ability to drill down to the underlying data when clicked.Also, reports that can be exported to CSV, PDF etc can easily be generated, through online interfaces. |
 |
Remediation tracking: Tracking issues or "action items" that are either automatically detected or manually found in the compliance management software process and remediatingthrough feature-rich remediation module. Items can be assigned to individuals or groups, approvedby their managers, fixed, and closed online. |
 |
Compliance activity email reminders: Define workflow once in terms of roles and responsibilities and facility to attach documents and provides exhaustive audit trail of actions related to the workflow. |
 |
Track credit card or sensitive data within databases, file systems, desktops, and servers: Compliance Scanner will search for Credit Card (Track, PIN, CVV) data in Filesystems, Shared drives, Databases, Removable hard drives etc. |
 |
External vulnerability scans: on-demand and scheduled run of external vulnerability scans for external IP addresses. |
 |
Analyze firewall rule sets: Automatically gather information from various supported systemsand mapping against the relevantregulations or standards based on one-time setup and scheduling. |
 |
Perform vulnerability scans and integrate with existing vulnerability scanners: Gatherinformation from Network vulnerability scanning (suchas Nessus) and External ASV scans and automatically map them to the relevant regulations. |
 |
Integrate with web application scanners: Gather information from Webapplication vulnerability scanners and automatically map them to the relevant regulations. |
 |
Compare user access for appropriateness: compare and check access rights of users and whether they belong to groups thathave the appropriate rights for access. Any discrepancies can then be flagged and marked asnon-compliant through the use of "Compliance Signatures". |
 |
Test password strength of domain and databases: Continuously monitor password strengthsettings such as alphanumeric requirement, expiry upon 60 days, account lockout etc. withintarget databases and operating systems in scope. These settings can be configured to match upwith PCI DSS requirement 8 for password strength. |
ISO 27K Compliance requirements
SecureGRC ISO 27K Compliance Management based on Unified Control framework (UCF) can help you meet the ISO 27K requirements for you in terms of in terms of complying with
|
# |
Controls |
ISO 27001 – Control Ref |
ISO 27002 – Control Ref |
|
1 |
Leadership and high level objectives |
§ 4.1, 5.1, Annex A.6.1.1 |
§ 5.1.1 |
|
2 |
Establish and maintain a standard for assurance and impact levels for each information type. |
Annex A.10.9.3 |
§ 10.9.3 |
|
3 |
Establish and maintain an information, record, and data classification scheme. |
Annex A.7.2.1 |
§ 6.1.2, § 7.2.1 |
|
4 |
Document the external laws, regulations, and rules with which the organization must comply regarding its information systems, information technology, and information. |
Annex A.15.1.1 |
§ 15.1.1 |
|
5 |
Establish and maintain a list of warning bulletins, regulations, standards, guidelines, rules, and service level agreements as part of the organization's information services framework. |
Annex A.6.1.7 |
§ 6.1.7 |
|
6 |
Identify significant information processes, applications, and systems that fall under internal or external governance or compliance laws, regulations, or rules. |
§ 5.2.1, Annex A.7.1.1 |
§ 7.1.1 |
|
7 |
Audits and risk management |
Annex A.15.3.1 |
§ 15.3.1 |
|
8 |
Define the roles and responsibilities of the Internal IT Audit staff. |
§ 6 |
§ 6.1.8 |
|
9 |
Establish and maintain the IT Governance risk assessment framework. |
Annex A.14.1.2 |
§ 4.1, § 6.1.2 |
|
10 |
Establish a risk assessment approach to handle internal and external threats. |
§ 4.2.1(c) |
§ 4.1 |
|
11 |
Identify the risks and probability for natural events, technical events, and malicious activity. |
§ 4.2.1(e), Annex A.14.1.2 |
§ 4.1, § 4.2 |
|
12 |
Identify the risks to organizational information and technology. |
§ 4.2.1(f) |
§ 4.1, § 4.2 |
|
13 |
Identify security vulnerabilities to the system. |
§ 4.2.1(d) |
§ 6.2.1 |
|
14 |
Maintain a risk measurement and scoring system. |
§ 4.2.2(d) |
§ 4.2 |
|
15 |
Establish a risk acceptance level appropriate for the organization's risk appetite. |
§ 1.2, § 4.2.1(d), § 4.2.1(e), § 4.2.1(h), § 5.1 |
§ 4.2 |
|
16 |
Prioritize and select safeguards based on the risk assessment findings. |
§ 4.2.1(g) |
§ 4.2 |
|
17 |
Establish monitoring and logging operations for all key systems. |
Annex A.10.10.2 |
§ 10.6.1, § 10.10.1, § 10.10.2 |
|
18 |
Ensure system clocks are synchronized with an accurate and universal time source. |
Annex A.10.10.6 |
§ 10.10.6 |
|
19 |
Review audit logs, intrusion detection system (IDS) reports, security incident tracking reports, and other security logs on a regular basis. |
§ 4.2.3(b) |
§ 10.10.2 |
|
20 |
Ensure a system security plan exists and the system operates in accordance with the plan. |
Annex A.15.2.1, Annex A.15.2.2 |
§ 5.1.1 |
|
21 |
Test the system for unvalidated input. |
Annex A.12.2.1 |
§ 12.2.1 |
|
22 |
Monitor systems for errors and faults. |
Annex A.10.10.5 |
§ 10.10.5 |
|
23 |
Use file integrity and change modification tools to protect the audit logs from alteration. |
Annex A.10.10.3 |
§ 10.10.3 |
|
24 |
Protect against the misuse of audit tools. |
Annex A.15.3.2 |
§ 15.3.2 |
|
25 |
Establish and maintain an access classification scheme policy and standards. |
Annex A.7.2.1 |
§ 7.2.1 |
|
26 |
Establish and maintain a policy for establishing access policies and procedures. |
Annex A.11.1.1, Annex A.11.6.1 |
§ 6.2.2, § 11.6.1 |
|
27 |
Establish and maintain an identification, authentication, and access rights management plan. |
Annex A.11.2.1 |
§ 11.2.4 |
|
28 |
Maintain control over access rights and user privileges. |
Annex A.11.2.2 |
§ 11.1.1, § 11.2.2, § 11.4.6, § 11.6.1 |
|
29 |
Ensure all user IDs are unique and require proper authentication. |
Annex A.11.5.2 |
§ 11.2.1, § 11.5.2, § 11.5.3 |
|
30 |
Establish idle session termination capabilities. |
Annex A.11.5.5 |
§ 11.5.5 |
|
31 |
Maintain user accounts and access management for those users. |
Annex A.11.2.3 |
§ 11.2.1 |
|
32 |
Identify and control all network access points. |
Annex A.11.4.6 |
§ 11.4.3 |
|
33 |
Establish and maintain documentation for controlling the network configuration. |
Annex A.10.9.1 |
§ 10.9.1 |
|
34 |
Establish and maintain information flow and information exchange policies and procedures. |
Annex A.10.8.1 |
§ 10.8.1 |
|
35 |
Establish and maintain policies, procedures, and standards for remote access and teleworking. |
Annex A.11.7.2 |
§ 11.7.2 |
|
36 |
Manage the use of encryption and cryptographic controls for protecting information. |
Annex A.15.1.6 |
§ 15.1.6 |
|
37 |
Establish and maintain an encryption management and cryptographic controls policy. |
Annex A.12.3.1 |
§ 12.3.1 |
|
38 |
Establish and maintain a process for managing cryptographic keys. |
Annex A.12.3.2 |
§ 12.3.2 |
|
39 |
Use strong encryption techniques for transmitting restricted data or information over public networks. |
Annex A.10.9.2 |
§ 10.9.2 |
|
40 |
Establish and maintain a process for preventing malicious code attacks. |
Annex A.10.4.1 |
§ 10.4.1 |
|
41 |
Ensure a recovery plan exists for a malicious code outbreak within a system or across the network. |
Annex A.10.4.1 |
§ 10.4.1 |
|
42 |
Ensure all facilities are physically secured. |
Annex A.9.1.1 |
§ 9.1.1 |
|
43 |
Identify all access points and document the control entry measures. |
Annex A.9.1.6 |
§ 9.1.2 |
|
44 |
Maintain and review lists of personnel who have been granted authorized physical access to facilities that contain restricted data or information. |
Annex A.9.1.2 |
§ 9.1.2 |
|
45 |
Establish and maintain a guideline for working in secure areas. |
Annex A.9.1.5 |
§ 9.1.5 |
|
46 |
Monitor physical access at all access points. |
Annex A.9.1.3 |
§ 15.1.5 |
|
47 |
Establish and maintain physical security of distributed IT assets. |
Annex A.11.3.3 |
§ 11.3.3 |
|
48 |
Establish offsite physical and logical controls for all distributed assets. |
Annex A.9.2.5 |
§ 9.2.5 |
|
49 |
Separate systems that store or process restricted data from those that do not by deploying physical access controls. |
Annex A.11.6.2 |
§ 11.6.2 |
|
50 |
Ensure that the return of assets follows guidelines and standards. |
Annex A.8.3.2 |
§ 8.3.2 |
|
51 |
Establish and maintain a policy and set of procedures to authorize removing IT assets from the facility. |
Annex A.9.2.7 |
§ 9.2.7 |
|
52 |
Establish and maintain adequate environmental controls and processes. |
Annex A.9.1.4 |
§ 9.2.1 |
|
53 |
Protect power equipment and cabling from damage and/or destruction. |
Annex A.9.2.3 |
§ 9.2.3 |
|
54 |
Install uninterruptible power supplies (UPSs) and secondary power supplies on all key systems. |
Annex A.9.2.2 |
§ 9.2.2 |
|
55 |
House information system components in areas of the facility where the potential for damage will be minimized. |
Annex A.9.2.1 |
§ 9.2.1 |
|
56 |
Systems continuity |
Annex A.14.1.1 |
§ 14.1.1 |
|
57 |
Establish and maintain a systems continuity framework. |
Annex A.14.1.4 |
§ 14.1.4 |
|
58 |
Establish and maintain systems continuity plan strategies. |
Annex A.14.1.3 |
§ 14.1.2 |
|
59 |
Establish back-up procedures for applications, databases, security configurations, network configurations, documents, and messaging systems. |
Annex A.10.5.1 |
§ 10.5.1 |
|
60 |
Test system backups on a regular basis to ensure media and information integrity. |
Annex A.10.5.1 |
§ 10.5.1 |
|
61 |
Edit and update the systems continuity plan. |
Annex A.14.1.5 |
§ 14.1.5 |
|
62 |
Test the system continuity plan on a regular basis. |
Annex A.14.1.5 |
§ 14.1.5 |
|
63 |
Review and update the system continuity plan on a regular basis. |
Annex A.14.1.5 |
§ 14.1.5 |
|
64 |
Establish IT planning, strategy, and steering committees. |
Annex A.6.1.2 |
§ 6.1.2, § 6.1.3 |
|
65 |
Assign responsibility for data and system ownership. |
§ 4.2.1(d), Annex A.7.1.2 |
§ 6.1.3, § 7.1.2 |
|
66 |
Ensure that roles and responsibilities provide for separation of duties. |
Annex A.10.1.3 |
§ 10.1.3 |
|
67 |
Establish and maintain policies and procedures for contracted staff. |
Annex A.8.1.3 |
§ 8.1.3 |
|
68 |
Establish procedures for personnel clearances and for screening employees. |
Annex A.8.1.2 |
§ 8.1.2 |
|
69 |
Review or terminate accounts and access rights upon personnel job change and termination. |
Annex A.8.3.1, Annex A.8.3.3 |
§ 8.3.1, § 8.3.3 |
|
70 |
Implement a sanctions process for personnel who fail to comply with policies and procedures. |
Annex A.8.2.3 |
§ 8.2.3 |
|
71 |
Ensure IT personnel are trained. |
§ 5.2.2, Annex A.8.2.2 |
§ 8.2.2 |
|
72 |
Establish and maintain a policy regarding management of third party services. |
Annex A.6.2 |
§ 10.2.1 |
|
73 |
Formalize all third party relationships with written contracts. |
Annex A.6.2.3 |
§ 6.2.3 |
|
74 |
Ensure third parties acknowledge their responsibilities for data in their possession and control. |
Annex A.6.2.1 |
§ 6.2.1 |
|
75 |
Establish information flow and software exchange agreements with all third parties. |
Annex A.10.8.2 |
§ 10.8.2 |
|
76 |
Audit the security and regulatory requirements of third parties. |
Annex A.10.2.2 |
§ 10.2.2 |
|
77 |
Monitor the delivery of services by third parties. |
Annex A.10.2.1 |
§ 10.2.2 |
|
78 |
Establish and maintain operational roles and responsibilities. |
§ 5.1, Annex A.6.1.2, Annex A.8.1.1 |
§ 5.1.1, § 6.1.2, § 8.1.1 |
|
79 |
Document all policies and procedures. |
§ 4.2.1(j) |
§ 5.1.2, § 10.8.5 |
|
80 |
Ensure management is responsible for all policies. |
§ 4.2.1(b), § 4.3.2 |
§ 5.1.1, § 5.1.2, § 6.1, § 6.1.1, § 6.1.8 |
|
81 |
Ensure all organizational policies are communicated and disseminated throughout the organization. |
§ 5.1 |
§ 5.1.1 |
|
82 |
Comply with all policies, standards, and procedures. |
§ 4.2.1(b), Annex A.15.2.1 |
§ 15.2.1 |
|
83 |
Maintain policies by regularly reviewing them and updating them, as necessary. |
§ 4.2.1(b), § 4.2.3(g), § 5.1 |
§ 5.1.2 |
|
84 |
Establish and maintain a security and internal control framework policy. |
Annex A.5.1.1 |
§ 5.1, § 5.1.1 |
|
85 |
Ensure threat, vulnerability, and risk assessment management are included in the security policy. |
§ 4.2.1(b) |
§ 5.1.1 |
|
86 |
Review the security policy annually or whenever the environment changes. |
§ 4.2.3(b), § 5.1, § 7.1 thru § 7.3, Annex A.5.1.2, Annex A.6.1.8 |
§ 5.1.2, § 6.1.8 |
|
87 |
Communicate IT security awareness to all employees. |
Annex A.5.1.1 |
§ 8.2.2 |
|
88 |
Establish usage and proper behaviour policies. |
Annex A.10.6.2, Annex A.11.4.1 |
§ 11.4.1 |
|
89 |
Establish and maintain a process to manage intellectual property rights. |
Annex A.15.1.2 |
§ 15.1.2 |
|
90 |
Establish and maintain confidentiality and nondisclosure agreements. |
Annex A.6.1.5 |
§ 6.1.5 |
|
91 |
Establish and maintain a process to manage the intrusion/incident detection and response framework. |
§ 8.3, Annex A.13.1.1 |
§ 13.2.1 |
|
92 |
Monitor for inappropriate usage. |
§ 4.2.3(a) |
§ 15.1.5 |
|
93 |
Train all staff members on how to recognize and report security incidents. |
Annex A.10.4.1, Annex A.13.1.2 |
§ 8.2.2, § 13.1.2 |
|
94 |
Maintain appropriate contact with law enforcement authorities, credit reporting agencies, regulatory bodies, and internal contacts within the organization. |
Annex A.6.1.6 |
§ 6.1.6 |
|
95 |
Review violations and security incident activity reports and incorporate recommendations for future prevention. |
§ 4.2.3(a) |
§ 6.1.2 |
|
96 |
Document and use the lessons learned to modify and update the security incident response plan. |
§ 4.2.4(b), Annex A.13.2.2 |
§ 13.2.2 |
|
97 |
Retain collected evidence as prosecutorial material. |
Annex A.13.2.3 |
§ 13.2.3 |
|
98 |
Establish future capacity and performance forecasting methods. |
Annex A.10.3.1 |
§ 10.3.1 |
|
99 |
Establish and maintain a systems preventive maintenance policy. |
Annex A.9.2.4 |
§ 9.2.4 |
|
100 |
Control remote maintenance in accordance with the security level of the system being maintained. |
Annex A.11.4.4 |
§ 11.4.4 |
|
101 |
Establish a change-management program with all necessary policies and procedures to prevent unauthorized changes. |
Annex A.10.1.2 |
§ 10.1.2, § 12.5.1 |
|
102 |
Control all system changes by ensuring management approves all changes. |
Annex A.12.5.1, Annex A.12.5.3 |
§ 12.5.2, § 12.5.3 |
|
103 |
Update all associated documentation when a change occurs. |
§ 4.3.2 |
§ 10.1.2, § 12.5.1 |
|
104 |
Perform and pass acceptance testing before moving a system back into operation after a change has occurred. |
Annex A.10.3.2 |
§ 10.3.2 |
|
105 |
Wipe all data storage media clean prior to disposal or redeployment. |
Annex A.9.2.6 |
§ 9.2.6, § 10.7.1, § 10.7.2 |
|
106 |
Establish and maintain procedures for standardizing the installation of system software. |
Annex A.12.4.1 |
§ 12.4.1 |
|
107 |
Configure the .NET Framework to prevent the execution of unauthorized mobile code. |
Annex A.10.4.2 |
§ 10.4.2 |
|
108 |
Establish and maintain password standards and procedures. |
Annex A.11.3.1, Annex A.11.5.3 |
§ 11.2.3, § 11.3.1 |
|
109 |
Enable auditing and logging operations as necessary. |
Annex A.10.10.1 |
§ 10.10.1, § 10.10.4, § 10.10.5 |
|
110 |
Log actions taken by individuals with root or administrative privileges and add 'logging' option to the root file system. |
Annex A.10.10.4 |
§ 10.10.4 |
|
111 |
Configure the amount of idle time required before disconnecting an idle session. |
Annex A.11.5.5 |
§ 11.5.5 |
|
112 |
Enable disconnect clients (server) or force logoff (client) when the account's logon hours expire. |
Annex A.11.5.6 |
§ 11.5.6 |
|
113 |
Define the preservation and disposition requirements for each system's records. |
§ 4.3.3 |
§ 15.1.3 |
|
114 |
Control data input error handling. |
Annex A.12.2.1 |
§ 12.2.2 |
|
115 |
Establish and maintain automated data processing validation and editing checks. |
Annex A.12.2.2 |
§ 12.2.1 |
|
116 |
Establish and maintain automated data processing error-handling reporting and procedures. |
§ 4.2.3(a) |
§ 12.2.2 |
|
117 |
Establish and maintain output review and error-handling checks with end users. |
Annex A.12.2.4 |
§ 12.2.4 |
|
118 |
Establish and maintain strict control over the transiting and internal or external distribution of classified media. |
Annex A.10.8.3 |
§ 10.8.3 |
|
119 |
Establish and maintain security requirements and standards as part of the systems design process. |
Annex A.12.1.1 |
§ 12.1.1 |
|
120 |
Supervise and monitor outsourced development projects. |
Annex A.12.5.5 |
§ 12.5.5 |
|
121 |
Ensure production data is not used for testing and/or developing software. |
Annex A.12.4.2 |
§ 12.4.2 |
|
122 |
Establish development and test environments to support feasibility and integration testing of applications prior to acquisition. |
Annex A.10.1.4 |
§ 10.1.4, § 12.5.1 |
|
123 |
Ensure third-party outsourcing providers meet organizational standards and employ adequate compliance controls. |
Annex A.10.2.3 |
§ 10.2.3 |
|
124 |
Establish and maintain procedures for the acceptance of facilities, technology, and technology services. |
Annex A.6.1.4 |
§ 6.1.4 |
|
125 |
Privacy protection for information and data |
Annex A.15.1.4 |
§ 15.1.4 |
|
126 |
Develop organizational measures to limit information leakage. |
Annex A.12.5.4 |
§ 12.5.4 |
Browser compatibility
Google Chrome, Firefox, Internet Explorer up to version 8 (with compatibility mode switched on)
Database
The default is MySQL. Also supports Oracle and MSSQL through appropriate client interfaces.
Deployment Model Options
| SecureGRC Cloud-based |
 SecureGRC On-premise |
 SecureGRC Hybrid |
|
Compliance Scan tools supported
Compliance Scanner scans and integrates compliance related information from varioussources such as, Databases, File systems, Firewall rules, Active Directory, Vulnerability Management Solution and Application vulnerability scanners etc and matches them against "Compliance Signatures".
| Currently supported external Scanning tools: SecureGRC can integrate test results from other tools through XML interface |
|
|
Customer On-boarding
We will help you get on board to Compliance Management quickly – Fill up the on-boarding form where our consultants will help you, and leave the rest to us to set it up and help you carry on comfortably.
Contact us
To learn more call +1 (408) 689 2586 or email This e-mail address is being protected from spambots. You need JavaScript enabled to view it
