Lucene search

rapid7blogDiamond FairRAPID7BLOG:1BE5BF5B3DE0470D5C42483370F7BDAC
HistoryApr 27, 2023 - 3:35 p.m.

New InsightCloudSec Compliance Pack: Implementing and Enforcing ISO 27001:2022

Diamond Fair
iso 27001

New InsightCloudSec Compliance Pack: Implementing and Enforcing ISO 27001:2022

James Alaniz and Diamond Fair contributed to this article.

We’ve been on quite a roll lately releasing new compliance packs, along with iterative updates to others that we’ve supported for a while now. We’re not done yet, either! In this article, we’ll discuss our newly released compliance pack for InsightCloudSec: ISO 27001:2022.

InsightCloudSec has supported an ISO 27001 compliance pack out-of-the-box for some time now. However, when ISO released the update for 2022, we developed an alternative for folks that opt to implement the new guidelines.

As is the case with any of the compliance standards and frameworks we support with InsightCloudSec, the new pack aligns our Insights with the requirements ISO has outlined (in this case, specifically within Annex A) to help organizations continuously assess compliance with the standard whether for their own internal processes or as they pursue certification.

We’ll dive into how you can use InsightCloudSec to do just that a little later in this post, but first, let’s take a step back and talk a bit about the standard itself and why it’s important.

What is ISO 27001 and why does it matter?

The International Organization for Standardization (ISO) is a world-wide, nongovernmental federation of standards bodies with representatives from more than 160 countries. The organization aims to bring together standards bodies to formulate, maintain and evolve a set of international standardization guidelines that can be widely applied.

ISO 27001 is a widely-implemented standard for implementing a strong and resilient security program. The foundation of this standard is what ISO refers to as the “CIA triad”, which contrary to what you may immediately think of has nothing to do with the Central Intelligence Agency. In this instance, “CIA” refers to:

  • Confidentiality, which refers to ensuring sensitive information is only accessible to people who should have access to it.
  • Information Integrity, which is targeted toward making sure the company and customer data is stored in a secure manner and is not erased or damaged in any other way.
  • Availability of Data, which means that those who can and should have access to information are able to freely access it whenever and wherever they need to.

Achieving ISO 27001 certification demonstrates your commitment to information security and signals to customers and partners that you’re taking the necessary steps to protect the sensitive information you’re being entrusted with.

ISO 27001 is intended to provide guidance to companies of all sizes, industries and maturity for how to effectively define, implement, manage and continually improve their security program. While this means it will be applicable to a wide range of organizations, this also means you may need to address exceptions or take additional measures that are uniquely applicable to your needs (based on the composition of your business and the composition of your IT environment).

So what’s new with 2022?

ISO 27001:2022 brought some updated guidance for organizations, while keeping the same foundational principles that were already in place.

The major updates included:

Despite adding 11 net-new controls, there was a pretty significant drop in the total number of controls from the 2013 version to the 2022 version, decreasing from 114 to 93. The driving force behind the control count reduction was the consolidation of controls as opposed to completely removing them altogether.

The control groups have been consolidated, now with 4 groups down from 14 previously.

  • Organizational controls (contains 37 controls)
  • People controls (contains 8 controls)
  • Physical controls (contains 14 controls)
    Technological controls (contains 34 controls)

Using InsightCloudSec to Track and Enforce Compliance with ISO 27001:2022

InsightCloudSec allows security teams to establish and continuously measure compliance against common industry frameworks, cloud provider best practices and/or custom policies tailored to specific business needs. A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with your organization’s policies.
If a resource or account is created or modified causing policy violation, InsightCloudSec will detect it within seconds. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue—either via deletion or by adjusting the configuration or permissions—without any human intervention.

New InsightCloudSec Compliance Pack: Implementing and Enforcing ISO 27001:2022

Because we’ve woven compliance throughout InsightCloudSec, you’re able to use our packs to prioritize your risk remediation efforts. In the screenshot below, you’ll see that within Layered Context, you’re able to apply a filter for insight findings related to a specified pack, including the ISO 27001:2022 pack.

New InsightCloudSec Compliance Pack: Implementing and Enforcing ISO 27001:2022

When coupled with other filters—such as insight severity and public accessibility—the InsightCloudSec: ISO 27001:2022 compliance pack helps you make more informed decisions when prioritizing what risk signals need your attention first.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out the demo!