Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ISO 27001 on AWS

ISO 27001 on AWS

In that session, we discussed why you might consider getting your business compliant, what that journey looks like, and how to think about applying Annex A controls to your AWS environment. We also shared some tips on how to make this whole process a bit easier.

The Scale Factory

February 23, 2023
Tweet

More Decks by The Scale Factory

Other Decks in Technology

Transcript

  1. WITH COMPLIANCE_ Questionnaires are easier to answer …or avoided altogether

    Sales cycle is shorter Close bigger deals Reduce operational risks
  2. COMPLIANCE JOURNEY_ Establish an ISMS Conduct a risk assessment Choose

    Annex A controls Establish an AWS account strategy Treat the risks (or have a plan) Collect evidence Schedule your audit 1 6 2 3 4 5 7
  3. Policy templates Risk register Asset management Evidence collection Easier audits

    Multiple standards Vulnerability management AWS integration Vulnerability management Security awareness training On-boarding/off-boarding flows Vendor assessments Access review Endpoint monitoring
  4. 8.15 LOGGING_ To record events, generate evidence, ensure the integrity

    of log information, prevent against unauthorized access, identify information security events that can lead to an information security incident and to support investigations. “
  5. 8.15 LOGGING DEPENDENCIES_ 5.25 Assessment and decision on info sec

    events 5.28 Collection of evidence 5.37 Privacy & protection of PII 8.10 Information deletion 8.11 Data masking 8.16 Monitoring activities 8.17 Synchronised time sources
  6. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention requirements Sensitive data in logs is protected Log analytics & anomalous behaviour detection
  7. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
  8. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
  9. 8.15 LOGGING GUIDELINES_ Log structure & types of events to

    log Protected from de-activation (inc. by privileged users), Protected from deletion & modification Protected from failure of storage media Stored in-line with the data retention policy Sensitive data protection Log analytics & anomalous behaviour detection
  10. AWS CONTROL TOWER_ Centralised audit logging (AWS CloudTrail) AWS account

    management AWS IAM Identity Center Ready baked controls: Preventative (Service Control Policies) Detective (AWS Config) Proactive (AWS CloudFormation Hooks) Compliance dashboard
  11. YOUR NEXT STEPS_ FREE CONSULTATION ISO 27001 AWS READINESS ASSESSMENT

    A review of your current AWS practice. FREE CONSULTATION ISO 27001 AWS RISK ASSESSMENT REVIEW A review of the AWS risks you’ve identified, and advice on risk treatment.