this post was submitted on 01 Jul 2023
11 points (100.0% liked)

Blue Team

573 readers
2 users here now

Blue Teamers are the first (and sometimes last) line of defense in the ongoing cyber war. This place is to chat out detection strategies, complain about SIEMs, compare SOAR playbooks, or post mean memes about the Red Team.

founded 1 year ago
MODERATORS
 

TL;DR: Is ISO27001 easy or am I just too dumb to see the complexity?

Hi!

Just wanted to start some conversation on a standard that's sorta kinda infamous where I'm currently at, the ISO27001 standard.

I got tasked with "polishing up an ISMS" for a company and while I can't go into details, I got basically a control name (from 27002:2022) and a description of "what we need it to do." Now that I got into it, I feel that I may be missing something. Most of their controls are "Limit access to server room" or "Make sure access is logged and not permanent."

Like, the standard is not difficult reading, but if they can explain to ME how the controls should look in the end, what am I missing? Is there some extremely difficult part? Or can I just say "Just make the creds timeout after a month. Source: dude trust me?"

If you were tasked with implementing ISO27001, did you encounter any specific hurdles that I may not see from where I'm standing? The only thing I can see after I got through all the controls was a feeling that this will be more expensive on time for the security teams.

Thank you for coming to my TED(x) talk.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] Tanders@infosec.pub 2 points 1 year ago* (last edited 1 year ago) (1 children)

TL;DR: Yes, ISO 2700{1,2} are a low barrier of entry but a common set of controls that should be able to be applied anywhere.

The biggest hurdle to deploying any framework is updating the cycle of controls and keeping them aligned both with management and with the parties implementing them. There is as much non-infosec work as there is actual implementation of the controls.

  • Policy Statement: Management guideline / statement to be followed
  • Process: The flow to follow in order to meet that policy statement
  • Procedure: The steps to follow in order to enable the process
  • Standard: The measurement of the compliance with the policy statement

Each one of the (Annex A) 14 domains has specific controls within the ISMS (27001) that each need the above implementation steps in a big ol' spreadsheet. Then the technical controls within ISO 27002 need to be applied, documented, and supporting evidence gathered as well.

For implementing ISO 27002 I'd highly recommend looking at Common Criteria or the CIS controls that map 27002 to CIS.

[โ€“] m4iler@infosec.pub 2 points 1 year ago

Looks good! I'll check it out!