Back in 2019, Microsoft CEO Satya Nadella famously said “Every company is now a software company,” and that sentiment could now be modified to “Every company is now a Software-as-a-Service company.” As organizations strive to create user-centric experiences and integrate with IOT capabilities, security certifications such as ISO 27001 play a central role in helping customers build the required trust in those applications. ISO.org publishes annual statistics on organizations with certificates, allowing us to track this growth directly. Between 2011 and 2015, roughly 2,000 new organizations earned their ISO 27001 certificate per year. After 2015, we see a significant upward trend, to 6,000 new organizations per year and climbing. In the 2021 report, I expect that we’ll see more than 50,000 ISO 27001-certified organizations globally (source: https://www.iso.org/the-iso-survey.html). This means if ISO 27001, or the similar AICPA SOC2 Type II, isn’t part of your compliance program yet, it probably will be.
Identity and Access Management play key roles in multiple ISO 27001 controls, and a strong IAM solution can play a key role in a successful ISO audit, or audit in any other framework. In the name of familiarity, we’ll use the ISO 27001:2013 framework for this discussion. The ISO 27002:2022 update was recently announced, which brings significant change to the organization of controls, however for the scope of this discussion there are no material impacts – the intent of the IAM controls is expected to be consistent.
Granting and Revoking access (A.9.2) Arguably one of the most important controls regarding identity, a huge amount of resources during an ISO audit are dedicated to testing that users have appropriate access. While an ISO27001 audit has fairly limited sampling (the process where an auditor selects a sample of employees that you must provide evidence for), a SOC2 audit can require pulling information from dozens of employees. Multiply that across all the critical applications you have in your organization, and without centralized IAM, you can easily be looking at creating hundreds of pieces of evidence. With an IAM solution, organizations can tie access to roles within their HR system. This automation creates a path that once demonstrated, proves effectiveness for all employees, strengthening security and reducing audit effort.
Validating appropriate access (A.9.4): Ensuring appropriate access to data across an employee’s lifecycle is also critical to data security. Employees rarely stay in the same role, but as they move around the organization, their data access must also change to reflect their new roles. Often, access is not removed, resulting in an employee with more permissions than they should, and in the worst-case scenario, can create a toxic pair where an individual has the ability to circumvent security or fraud controls. IAM solutions that can integrate into the permission sets of downstream applications help ensure that access is automatically modified to be appropriate to the employee’s current role.
Enforcing Annual Training (A.7.2.2): Let’s face it, no one likes annual requirements for security training. As security and IT professionals, however, we know that individuals do need frequent reminders around phishing, corporate policies, and data privacy. By tying the training systems into centralized IAM, new-hire and annual training can be enforced through gateways. I have seen organizations save hours of emails and follow-ups with managers per week by building a gateway around annual training – if the course isn’t completed on time, employees automatically lose access to all applications except email and the training system until training is complete. Once the course is finished, access to systems is automatically restored. This simple automation improves security, compliance, and saves money. It’s not often Compliance can get a win/win/win!
Though we’ve only touched on a few controls in the ISO 27001:2013 framework, there are many other places where centralized IAM can provide cost savings and security improvements – from ensuring all applications have multifactor authentication and consistent password policies, to automated enforcement of access policies, and enabling centralized access logging. In addition, organizations are able to gain these benefits while improving employee access to data and reducing frustration by allowing a single identity across all of the applications and systems in use. If you’re like me, as you continue down your IAM journey, you’ll find new opportunities around each corner. Share your experiences with the community, and good luck with your next audit!