ISO 27001 is an IT security framework that is based on security best practices. As such, an ISO 27001 certification can be thought of as evidence that an organization takes cyber security seriously and secures its information security management systems according to industry best practices.
While there is no rule requiring organizations to become ISO 27001 certified, there are three main reasons why an organization might choose to become ISO 27001 certified.
ISO 27001 helps with other regulations
The first of these reasons is that many organizations are already subject to regulatory mandates governing their information systems, and an ISO 27001 certification can make complying with such regulations easier (in some cases, the regulations may be based on ISO 27001).
Although an ISO 27001 certification does always not guarantee compliance with other regulations such as HIPAA or PCI, regulations are commonly based on the use of security best practices. Adhering to the ISO 27001 certification requirements can potentially reduce both the cost and complexity of complying with regulatory requirements.
Flaunt your ISO 27001 cert
A second reason why organizations sometimes work to become ISO 27001 certified is because the certification can be valuable from a marketing perspective. Prospective clients know that the organization’s ISO 27001 certification means that their data will be handled and maintained in a secure manner.
It is also worth noting that some companies contractually require the vendors that they work with to be ISO 27001 certified.
It’s a good idea to have a dedicated webpage citing your up-to-date security certifications and compliance standards. Many have logos or badges you can affix to your page. If you’d prefer to keep them on the backed, you can always use a PDF or supplemental infosheet when your sales or partnerships team is working through negotiations.
Peace of mind comes with ISO 27001 information security management system
Finally, the third and perhaps most compelling reason for becoming ISO 27001 certified is that the certification process can help your organization to become more secure. After all, the certification process requires the organization to complete a comprehensive risk assessment and to take steps to mitigate those risks.
This means that an organization that wishes to become ISO 27001 certified will be forced to take an honest look at its current security posture and to address any areas that do not measure up. Assuming that an organization sees this process to completion, the inevitable outcome will be better security.
As is the case with so many other certifications, achieving an ISO 27001 certification is not a simple process. ISO itself develops the certification framework, but does not certify organizations as compliant.
In order to become certified, an organization will need to work with an external certification body. The entire process can take anywhere from several months to over a year to complete.
Why isn’t everyone ISO 27001 certified?
One of the things that makes ISO 27001 certification so difficult is that it requires an organization to review, document, and remediate (if necessary) all of its various IT processes.
While working through this process, organizations often find that processes and procedures that it has relied on for years are inadequate based on the certification requirements.
For example, organizations that are working toward an ISO 27001 certification must prove to auditors that they have a strong password policy in place and that they rigorously adhere to that policy.
Unfortunately, this may mean more than just requiring users to use strong passwords and change them on a periodic basis.
Secure your ISO 27001 certification with a stronger password policy tool
One of the best ways for an organization to ensure that their password policy is as strong as possible is to start with Specops Password Policy. This on-prem or hybrid software solution augments the capabilities that are built into Active Directory Group Policy.
Like native group policy, Specops Password Policy allows organizations to enforce length and complexity requirements, but also adds other capabilities not natively included in the Active Directory, such as the ability to prevent consecutive character use.
Specops Password Policy also includes several other features that enhance password security even further.
Block over 2 billion known breached passwords
First and foremost, Specops Password Policy compares user’s passwords to a list of over two billion passwords that are known to have been leaked.
When a password is leaked, it is usually hashed and added to a database. This makes it possible for cyber criminals to perform hash lookups rather than taking the time to crack a password.
By preventing users from using a password that is known to have been leaked, an organization can significantly reduce the chance that the password will be cracked.
Implement custom password dictionaries
Another way in which Specops Password Policy helps to enhance password security is through the use of dictionaries. When a user attempts to change a password, the new password is compared against a dictionary to make sure that the password will not be vulnerable to dictionary attacks.
Additionally, Specops allows organizations to create custom dictionaries of words that should not be included in passwords.
For example, an organization might use a custom dictionary to prevent the organization’s name from being used in passwords. Just take a look at the recent Nvidia data breach data, where a shocking number of end-users had product terms, Nvidia, and other blatant terms in their now-breached passwords.
Perhaps of most interest to those who are seeking an ISO 27001 certification, Specops Password Policy includes compliance specific templates and reporting tools that can be used to make sure that the organization’s password policy aligns with the requirements set forth by NIST, SANS, PCI, and others.
If you’re ready to take the ISO 27001 certification plunge, do it with the help of Specops. You can test out our software in your Active Directory for free, any time.
source - https://www.bleepingcomputer.com/news/security/what-is-iso-27001-and-why-it-matters-for-compliance-standards/
Comments
Post a Comment