version
Log In
Sign Up

ISO 27001 Compliance

shape
shape
shape
shape
shape
shape
shape
shape
how ezeelogin helps to achieve iso 27001 compliance?

With the rapid growth of digital technologies, everything has moved online. As a result, the risks associated with protecting sensitive information have become critical for organizations. Cyber threats and data breaches are increasing, making it mandatory for organizations to take the necessary precautions to keep their sensitive information and data secure.  

Importance of security compliance certification ​

Security compliance certifications ensure that an organization follows a set of rules and procedures to safeguard its information, manage risks, and secure its infrastructure, as defined by industry standards or regulatory authorities. 

      Globally accepted security compliance certifications are ISO 27001 (International Organization for Standardization), SOC 2 (System and Organization Controls 2), PCI DSS (Payment Card Industry Data Security Standard), GDPR Compliance (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), NIST Cybersecurity Framework & ISO 9001 (Quality Management System) etc. 

      This article outlines what ISO/IEC 27001 certification is, various controls in ISO 27001, the benefits and how Ezeelogin can assist in achieving compliance. 

What is ISO/IEC 27001 certification?

ISO/IEC 27001 ((International Organization for Standardization) is one of the globally recognized security standards that provide frameworks for the organizations create and maintain a strong Information Security Management System (ISMS) to protect information such as customer data, business assets, and intellectual property against security threats. 

Key areas cover by ISO 27001 standard

ISO 27001 covers people, processes, technology, security controls, risk assessment and risk management, leadership commitment, and planning. Guiding principles of ISO 27001 are Confidentiality, Integrity, and Availability (commonly referred to as the C-I-A triad). 

Understanding the ISO 27001 Structure

ISO 27001 consists of two components: 

 1. Clauses 0 – 10: 

                   The core standards and requirements outlined in Clauses 0-10. Clauses 4-10 define the scope and essential requirements that an organization must implement in its Information Security Management System (ISMS) to achieve certification. These include all necessary documents, processes, and policies.

2. Annex A: 

                  In the old version of security standard ISO 27001:2013, Annex A lists 114 controls divided into 14 categories, covering a wide range of topics such as access control, cryptography, physical security, and incident management. However, the new version, ISO 27001:2022, includes 93 controls, with 11 new controls added. 

Controls in ISO 27001:2022

The Annex A control has now been grouped into 4 categories.   

Category Name 

Number of Controls 

Annex 

Organizational 

37 

A 5.1 to 5.37  

People 

8 

A 6.1 to 6.8 

Physical 

14 

A 7.1 to 7.13 

Technological 

34 

A 8.1 to 8.34 

Differences from ISO 27001:2013

  1. Reduced the number of controls from 114 to 93.
  2. Total controls are grouped into 4 categories (organizational, people, physical, and technological).
  3. Added 11 new controls, designed to address modern security challenges and the need for more proactive risk management. Key areas of focus include cloud security, threat intelligence, and data masking.

Benefits of ISO 27001 Certification

ISO 27001 certification helps the organizations to improve their Information Security Management System (ISMS) and reduce the risk of data breaches and cyber attacks. Achieving this security compliance certification enhances trust with clients, which in turn helps to improve business.

Here are the key advantages of ISO 27001 certification. 

  1. Enhanced information Security  
  2. Improved Risk Management 
  3.  Regulatory Compliance  
  4.  Increased Customer  trust and Confidence
  5.  Competitive Advantage  
  6. Incident Prevention and Better Incident Response
  7.  Business Continuity
  8. Better Internal Processes and Efficiency
  9.  Increased Employee Awareness and Engagement
  10. Global Recognition
  11. Enhanced Partner and Vendor Relationships
  12. Continuous Improvement

Achieve ISO 27001 with Ezeelogin

With Ezeelogin’s user-friendly interface and advanced security features, such as multi-factor authentication, privileged access control, role-based access control, detailed audit logs and reporting, etc helps to meet various controls in ISO 27001 security standards. Below are the details of ISO 27001 controls that can be achieved using Ezeelogin.

 

Annex                                   

                   ISO 27001 controls 

Ezeelogin Feature 

A 5.15 

Access Control                                           
  

Users shall only be provided with access to the network and network services that they have been specifically authorized to use. 

Access control feature 

A 5.16 

Identity Management 

To allow for the unique identification of individuals and systems accessing the organization’s information and other associated assets and to enable appropriate assignment of access rights. 

RBAC, passthrough user, subssh user 

A 5.18 

Access Rights 
  

Asset owners shall review users’ access rights at regular intervals. 

User Reports and Access control 

A 5.24 

Information security incident management planning and preparation 

 

SIEM Integration 

A 8.3 

Information access restriction 

Access to information and application system functions shall be restricted in accordance with the access control policy. 

User – access control 

A.8.5 

Secure Authentication 

Where required by the access control policy, access to systems and applications shall be controlled by a secure log-on procedure. 

MFA/Two Factor Authentication 
Limit IP 
Login captcha 

A.5.17 

Authentication Information 

Password management systems shall be interactive and shall ensure quality passwords. 

Password strength 
User Password Lifetime  
Maximum Days Without Login /User expiry 
Force Password Change /temp pass 
Password / Security Code Retries  
 

A 8.24 

Use of Cryptography 

A policy on the use of cryptographic controls for protection of information shall be developed and implemented. A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented throughout their whole lifecycle. 

secure information is encrypted and tested, Key expiry 

A 8.2 

Privileged access rights 

The allocation and use of privileged access rights should be restricted and managed. 

Access control, RBAC 

A 8.15 

Logging 

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed. 

Authentication Log 
SSH Log 
RDP Recording 
SCP Log 
Web Activity 
Shell Activity 
Server Activity, User – action access control, Log Encryption, Four eyes authorization 

A.5.23  

Information Security for Use of Cloud Services 

Policies and procedures for the secure use of cloud services shall be implemented. 

Secure access to AWS, Azure etc 

A.5.30  

ICT Readiness for Business Continuity 

ICT shall be prepared to ensure availability and continuity in adverse situations. 

Backup and failover support for critical system configurations in Ezeelogin.  

A.8.10  

Deletion of Information 

Information no longer required shall be securely deleted. 

Secure removal of old user logs, activity data, and backups through automated log retention policies. 

A.8.11  

Data Masking 

Data masking shall be used to protect sensitive information where appropriate. 

sensitive information is encrypted and can be viewed only with https and 2fa 

A.8.12  

Data Leakage Prevention 

Measures to prevent unauthorized data leakage shall be implemented. 

Action Access Control (data transfer) and logging features help identify and prevent unauthorized data transfer activities. 

A.8.13 

Information backup 

Backup copies of information, software and systems should be maintained and regularly tested in accordance with the agreed topic-specific policy on backup. 

Ezeelogin Backup  

A.8.16  

Monitoring Activities 

Monitoring of activities shall be performed to identify anomalous behavior. 

User activity logs, session recordings (RDP/SSH), and alerts for suspicious actions. All logs 

A.8.28  

Secure Coding 

Principles of secure coding shall be applied to application development. 

Secure handling of Ezeelogin codebase; external integrations and updates are signed and verified. (iso 27001 certified) 

 

Case Study:

We were approached by an organization seeking to achieve ISO 27001 compliance certification. The company has a large IT infrastructure with numerous servers, switches, routers, data centers, and a large team of employees. As they worked towards certification, they faced several challenges while providing SSH access to their employees for servers, switches, routers, etc. 

  1. Centralized Management: Managing these devices and employees in a centralized manner was proving to be difficult. 
  2. Password /SSH Key Rotation: Ensuring the rotation of both server and employee passwords every 30 days was a complex task.
  3. Server Access Logs for Audits: Maintaining server access logs for audit purposes and integrating them with SIEM (Security Information and Event Management) solutions was a challenge.
  4. Log Management: They needed to implement log rotation and truncation to efficiently manage storage and avoid log data overload.
  5.  Multi-Factor Authentication: Implementing multi-factor authentication (MFA) for employees accessing servers to enhance security.
  6. Access Control: Assigning server access based on job roles was necessary—some employees needed admin privileges, while others required access to non-privileged accounts.
  7.  Fail over Solutions: The organization required a fail over solution to ensure continuous access to critical IT infrastructure such as servers, switches, and routers. 

The company’s goal was to address these challenges in alignment with ISO 27001 standards to achieve better security, compliance, and operational efficiency. 

How does Ezeelogin help the organization to mitigate the above challenges?

Centralized Management: Ezeelogin provides a centralized SSH jump server solution that streamlines SSH access management for Linux servers, routers, switches, and cloud instances. It integrates seamlessly with LDAP/AD for easy user authentication.

Password/SSH Key Rotation: Ezeelogin simplifies password and SSH key management by offering automated root password rotations on servers and the ability to reset SSH keys across multiple remote servers with ease.

Server Access Logs for Audits: With Ezeelogin’s SSH session recording feature, you can track user access and actions on each server, ensuring full transparency. It also provides real-time log access to monitor user activity live.

Log Management: Ezeelogin incorporates log rotation and truncation to effectively manage storage and prevent log data overload. It easily integrates with SIEM solutions such as Splunk and ELK Stack for better log analysis and monitoring.

Multi-Factor Authentication: Ezeelogin supports a variety of multi-factor authentication methods, including Google 2FA, Duo Security, YubiKey, and FIDO2, ensuring enhanced security for user access.

Access Control: Role-based access control (RBAC), PAM, and IAM features allow organizations to assign access based on employee roles and privileges, ensuring strict access governance.

Fail over Solutions: Ezeelogin’s cluster or master-slave setup ensures seamless fail over, providing a reliable solution to mitigate downtime and maintain service continuity.

Leave a Reply

Your email address will not be published. Required fields are marked *