The International Standards Organization (ISO) and International Electrotechnical Commission (IEC) recently dropped the hottest new PDF in the compliance world - the 2022 edition of the 27001 standard (or, ISO/IEC 27001:2022). ISO/IEC 27001 has been the leading global standard for an information security management system since its inception in 2005. The recent updates include some valuable considerations about data protection and cyber resilience.
The 2022 updates to ISO/IEC 27001 have made the framework easier to navigate. There are 93 total controls and 4 sections in 27001:2022, instead of 114 controls in 14 sections. Nothing has been removed. Instead, the shrinkage is largely the result of merging redundant requirements. ISO 27001:2022 also includes 11 net new requirements, which represent some valuable considerations about data protection and cyber resilience.
Is ISO/IEC 27001 Compliance on a ‘Shoestring Budget’ Possible?
The title of this blog is a nod to JupiterOne CEO Erkang Zheng’s wonderful blog on super-cheap SOC 2 compliance. Back when I was a JupiterOne customer, that blog served as a near-daily resource for me during an intense three audit sprint with extremely limited resources. I still love that blog, even though I now count myself lucky to do startup security compliance on a sufficient budget.
Click here to read Erkang’s SOC 2 Compliance on a Shoestring Budget.
What if ‘shoestring budget’ were a state of mind as opposed to a fiscal reality for some of us? I still think many of the best compliance solutions are available at shoestring budget prices. Sometimes, the cheapest resources are also the ones that are most efficient. Using existing features is a lightweight and free approach to compliance, while many free and open source software (FOSS) solutions are objectively fantastic. I also firmly believe a shoestring approach to ISO/IEC 27001 is a necessary approach to this framework in particular.
Why? While ISO 27001 is my favorite compliance framework, many of my cloud-native security peers disagree. Some individuals have had less-than-positive encounters with ISO 27001, usually at larger organizations. ISO/IEC 27001 guidance requires significant amounts of documentation, which can easily lead to endless paper. Thick and rigid policies make engineers really sad. Think of the ‘cumbersome policy’ approach to ISO 27001 as a pitfall you can avoid with a superior, shoestring approach.
Ten million policies and procedures is not an inevitability for ISO 27001. You should ignore anyone who tells you otherwise. After all, ISO 27001 is a standard for a management system that does not prescribe anything. You get to choose your own ISO 27001 compliance adventure, so you should choose a shoestring adventure, since continuous and automated compliance is awesome.
The 11 New ISO 27001:2022 Controls on a Shoestring Budget
The table below lists all of the baseline approaches to the new ISO 27001:2022 controls that are needed for a cloud-native organization to successfully comply.
A few notes:
- The list provides mostly cloud-native and open-source security solutions to establish a solid baseline. Commercial alternatives can be adopted, but it entirely depends on your budget, resources, and requirements.
- Some resources provided below are specific to Google Workspace as a solution for email, document collaboration, and corporate browser management, although many equivalent features exist from other vendors.
- JupiterOne provides a completely free tier!
Also, here is a small disclaimer. I am not a certified ISO/IEC 27001 lead auditor or someone who works for a certification body. Instead, I am someone with significant amounts of first-hand experience implementing ISO 27001 at cloud-native startups. Your certified auditor’s requirements could vary slightly from the resources listed below, depending on how they interpret the standard for your organization.
A.5.7 Threat Intelligence
Information relating to information security threats shall be collected and analyzed to produce threat intelligence.
Organizations of all sizes and budgets can benefit from real-time threat intelligence to better understand their adversaries. And, it’s relatively simple to add one or more of these real-time threat intelligence feeds to your Slack, SIEM, or XDR. Remember, it’s important to assess the value and safety of these (or any other) community-maintained resources. Extra Cost $0
- ThreatFeeds.io - 60+ Free Threat Intelligence Feeds
- HSlatman’s 150+ Awesome Threat Intelligence Resources on GitHub
A.5.23 Information Security for Use of Cloud Services
Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.
Every organization needs a robust and comprehensive set of policies, and it’s now important to ensure your Vendor and Subprocessor policies or agreements address the cloud vendor lifecycle. JupiterOne provides a library of 150+ policy templates to get you started. Extra Cost $0
A.5.30 ICT Readiness for Business Continuity
Information and Communication Technology (ICT) readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
There’s serious value in making sure your contingency plans are developed, implemented, and subject to an annual test against recovery time and recovery point objectives (RTOs and RPOs). There are numerous free tools for planning continuity exercises, including a full suite of resources from US Department of Homeland Security’s Ready.gov. Extra Cost $0
A.7.4 Physical Security Monitoring
Premises shall be continuously monitored for unauthorized physical access.
Many cloud-native security teams have set a policy to prohibit storing any sensitive data in physical environments like file cabinets or laptops. If you are in this category, you can easily prove compliance for free by grabbing the latest ISO 27001 audit report from AWS, GCP, or Azure. If your organization does store sensitive data on-prem, use the free physical security checklist from RiskWatch. Extra Cost $0
A.8.9 Configuration Management
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Many organizations will already be using tools like Terraform by HashiCorp to automate configuration management against community frameworks like the CIS Benchmarks. Luckily, Terraform is open source and the CIS Benchmarks are free in PDF format! You can also get alerted when configuration drift occurs using JupiterOne Rules Alerting. Extra Cost $0
A.8.10 Information Deletion
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Many of us have some firsthand experience with free data destruction through methods like taking a drill to old laptops. Those can be fun, but they’re also no longer recommended. The cheapest (and easiest) way to approach this requirement is to prohibit the storage of sensitive data on any physical media using templates from the JupiterOne Policy Library.You’ll also want to continue (or start) keeping effective records of data destruction through AWS, Azure, or GCP. Extra Cost $0
- Supported by All Major IaaS Providers
A.8.11 Data Masking
Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
With any luck, your organization is already practicing data masking. If you need to implement this control for the first time, there are numerous techniques to consider that could carry no cost to your organization depending on your data sensitivity and use cases. There are also many options available through AWS, Azure, and GCP’s respective marketplaces that cost pennies per hour. Extra Cost Varies
- Supported by All Major IaaS Providers
- Also available via IaaS Marketplaces
A.8.12 Data Leakage Prevention
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.
Chances are, you already pay for Google Workspace or Microsoft 365. There’s no additional cost to ensure you’ve taken advantage of all available controls to prevent data leakage via email, shared files, approved devices, and SSO. Your existing device management (MDM) or endpoint detection and response (XDR) probably also provides the ability to prevent data leakage by blocking the use of removable media. Extra Cost $0
- Google Workspace Controls
- XDR or MDM Settings
A.8.16 Monitoring Activities
Networks, systems and applications shall be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.
JupiterOne’s rules alerting library has ready-built capabilities to help you understand anomalous activities such as cloud resources, devices, or users who require security investigation. Extra Cost $0
A.8.23 Web Filtering
Access to external websites shall be managed to reduce exposure to malicious content.
Organizations that are using Google Workspace for enterprise browser management include built-in administrative controls for allowlisting and blocklisting websites. You can even easily build out a robust blocklist using one of the free resources from HSlatman’s 150+ Awesome Threat Intelligence Resources on GitHub! Extra Cost $0
- Google Workspace
A.8.28 Secure Coding
Secure coding principles shall be applied to software development.
Practicing and easily proving your secure coding techniques doesn’t need to add extraneous work for engineers. JupiterOne uses a GitHub Request for Comments (RFC) workflow to document security and privacy considerations within our version control environment, and we’ve made the template available for anyone to use. Extra Cost $0
When Does ISO 27001:2022 Take Effect?
The answer is a bit complicated, however, it can be summarized as ‘not immediately.’ The particular timeline for changing from ISO 27001:2013 to 27001:2022 will depend on where your organization is in its certification cycle and your certifying body (or auditor). However, certification bodies are unlikely to offer certification to ISO 27001:2022 until at least six months after the October 2022 release of the standard. According to ITGovernance, the ISO 27001:2013 standard will also not be fully retired for three years.
Please contact your certification body to understand more details about your particular timeline for changing from ISO/IEC 27001:2013 to 27001:2022 and how quickly you should begin adopting these new controls. The following are general guidelines as opposed to absolutes:
- If you are achieving first-time ISO/IEC 27001 certification in late 2022 or the first half of 2023, you will likely be initially certified to ISO 27001:2013.
- If you are doing an ISO/IEC 27001 re-certification in late 2022 or the first half of 2023, you will likely be recertified to ISO 27001:2013.
- Initial certifications or recertifications that take place in the second half of 2023 will likely focus on the ISO 27001:2022 standard.
Shoestring Compliance is the Best Compliance
Spending more money on security compliance isn’t always the right answer, particularly if the net result is a rigid or paperwork-heavy approach to compliance. The future of compliance is continuous. Plus, compliance should be the natural outcome of security done well. Using this ISO/IEC 27001:2022 guidebook to compliance on a shoestring budget can augment your existing security efforts, particularly if you are already using JupiterOne’s to automate your compliance effort.