Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ISO 27001 on AWS

ISO 27001 on AWS

In that session, we discussed why you might consider getting your business compliant, what that journey looks like, and how to think about applying Annex A controls to your AWS environment. We also shared some tips on how to make this whole process a bit easier.

The Scale Factory

February 23, 2023
Tweet

More Decks by The Scale Factory

Other Decks in Technology

Transcript

  1. ISO 27001 ON AWS_
    ANDREW WASILCZUK | he/him/his

    View Slide

  2. $whoami
    Senior Consultant
    Information Security Manager
    Systems guy at heart

    View Slide

  3. GETTING TO
    KNOW YOU_

    View Slide

  4. ISO/IEC 27001
    Defines requirements for an ISMS
    Non-prescriptive
    Risk based approach

    View Slide

  5. WHY DO WE NEED
    ISO 27001?_

    View Slide

  6. SUPPLIER
    QUESTIONNAIRES_

    View Slide

  7. ANOTHER
    POLL_

    View Slide

  8. WITH
    COMPLIANCE_ Questionnaires are easier to answer
    …or avoided altogether
    Sales cycle is shorter
    Close bigger deals
    Reduce operational risks

    View Slide

  9. TWO
    PARTS_ ISO 27001
    Mandatory
    ISMS
    Requirements
    ISO 27002
    Optional
    Annex A
    Controls

    View Slide

  10. WHERE DO I START?_

    View Slide

  11. COMPLIANCE
    JOURNEY_
    Establish an ISMS
    Conduct a risk assessment
    Choose Annex A controls
    Establish an AWS account strategy
    Treat the risks (or have a plan)
    Collect evidence
    Schedule your audit
    1
    6
    2
    3
    4
    5
    7

    View Slide

  12. AUTOMATED
    COMPLIANCE
    PLATFORMS_
    TIP

    View Slide

  13. Policy templates
    Risk register
    Asset management
    Evidence collection
    Easier audits
    Multiple standards
    Vulnerability management
    AWS integration
    Vulnerability management
    Security awareness training
    On-boarding/off-boarding flows
    Vendor assessments
    Access review
    Endpoint monitoring

    View Slide

  14. RISK
    REDUCTION
    CYCLE_

    View Slide

  15. IMPLEMENTING
    ANNEX A CONTROLS
    ON AWS_

    View Slide

  16. THE SHARED RESPONSIBILITY MODEL_

    View Slide

  17. 8.15
    LOGGING_
    To record events, generate evidence, ensure the
    integrity of log information, prevent against
    unauthorized access, identify information security
    events that can lead to an information security
    incident and to support investigations.

    View Slide

  18. 8.15 LOGGING
    DEPENDENCIES_
    5.25 Assessment and decision on info sec events
    5.28 Collection of evidence
    5.37 Privacy & protection of PII
    8.10 Information deletion
    8.11 Data masking
    8.16 Monitoring activities
    8.17 Synchronised time sources

    View Slide

  19. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention requirements
    Sensitive data in logs is protected
    Log analytics & anomalous behaviour detection

    View Slide

  20. View Slide

  21. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention policy
    Sensitive data protection
    Log analytics & anomalous behaviour detection

    View Slide

  22. View Slide

  23. {
    "Version": "2012-10-17",
    "Statement": [
    {
    "Action": [
    "cloudtrail:StopLogging",
    "cloudtrail:DeleteTrail"
    ],
    "Resource": "*",
    "Effect": "Deny"
    }
    ]
    }

    View Slide

  24. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention policy
    Sensitive data protection
    Log analytics & anomalous behaviour detection

    View Slide

  25. View Slide

  26. 8.15 LOGGING
    GUIDELINES_
    Log structure & types of events to log
    Protected from de-activation (inc. by privileged
    users),
    Protected from deletion & modification
    Protected from failure of storage media
    Stored in-line with the data retention policy
    Sensitive data protection
    Log analytics & anomalous behaviour detection

    View Slide

  27. AWS ACCOUNT
    STRATEGY_

    View Slide

  28. AWS
    CONTROL TOWER_
    Centralised audit logging (AWS CloudTrail)
    AWS account management
    AWS IAM Identity Center
    Ready baked controls:
    Preventative (Service Control Policies)
    Detective (AWS Config)
    Proactive (AWS CloudFormation Hooks)
    Compliance dashboard

    View Slide

  29. YOUR NEXT STEPS_
    FREE CONSULTATION
    ISO 27001
    AWS READINESS
    ASSESSMENT
    A review of your current AWS
    practice.
    FREE CONSULTATION
    ISO 27001
    AWS RISK ASSESSMENT
    REVIEW
    A review of the AWS risks you’ve
    identified, and advice on risk
    treatment.

    View Slide

  30. FINAL
    POLL_

    View Slide

  31. KEEP IN
    TOUCH_
    http:/
    /www.scalefactory.com/
    https:/
    /github.com/scalefactory
    @scalefactory
    [email protected]

    View Slide