We recently published a paper about the role of Privileged Access Management (PAM) in the ISO 27001 standard. ISO 27001 is the world’s most comprehensive and recognized Information Security Management System (ISMS) framework.
It forms the core of many enterprise cybersecurity programs. ISO 27001 is considered essential for a variety of compliance regimens, as well. Access controls, including PAM, are widely present in its controls.
What is ISO 27001?
ISO 27001 is promulgated by the International Standards Organization (ISO). The resulting ISMS is intended to secure critical infrastructure. ISO 27001 is comprehensive, covering virtually all aspects of information security. Controls address security policy, physical security and incident response. It ensures that the organization follows internationally accepted best practices in information security.
Continual improvement is the framework’s goal. This ethos is embedded in the plan/do/check/act process which allows an organization to self-certify itself as ISO 27001 compliant. Alternatively, it is possible to get an independent certification issued by a third party following an audit.
ISO 27001 and Compliance
The framework helps organizations comply with regulations like GDPR, HIPAA, PCI-DSS and others. This occurs for two reasons. The controls of an ISMS can be configured to match the requirements of a regulation, e.g. if encryption is required for HIPAA compliance, then making encryption mandatory for the ISMS will help with HIPAA.
The ISO 27001 framework helps organizations understand what they need to do to comply with a variety of regulations.
Beyond that, ISO27001 literally requires compliance with the law as part of its certification process. Section A.18.1, titled “Compliance with legal and contractual requirements,” contains controls that mandate compliance with an organization’s legal and contractual obligations. Specifically, subsection A.18.1.1. says the ISMS must explicitly identify and document legal and regulatory requirements.
Access Controls in ISO 27001
ISO 27001 covers the entire spectrum of information security. The framework includes controls for security policy, asset management, cryptography, human resources, back end recovery, and more. Access control, however, figures prominently into the mix. Specific controls deal with access, but the issues of access, authorization and authentication are crucial to nearly every aspect of the framework. After all, it’s impossible to carry out effective data encryption if you can’t control who has access to the encryption software.
PAM and ISO 27001
PAM is an area of security that involves controlling and monitoring users with administrative (aka “Root”) privileges or those who use privileged accounts. A privileged user is one who has the access to the back ends of critical systems. For instance, a privileged user might be authorized to configurea firewall or delete a database user account. Privileged users could also delete or modify data, as well as install and uninstall software. A privileged user could be an employee, a contractor, or even an automated application. Given their access to sensitive information and systems, privileged user access must be carefully governed. ISO 27001 deals with this requirement directly and indirectly. Section A.9.2.3, “Management of Privileged Access Rights,” sets out a requirement for controlling and restricting privileged access rights. A.9.4.4, “Use of Privileged Utility Programs,” adds another PAM safeguard to the ISMS, discussing the need to control utility programs that can override other controls.
Multiple sections of the ISO 27001 framework state that privileged user access must be carefully governed, and therefore having PAM software in place is a good start towards meeting compliance.
PAM also arises in ISO 27001’s Section A.6, “Organization of information security,” A.11, “Physical and Environmental Security” and Section A.15, “Supplier Relationships.” PAM emerges indirectly in Sections A.5, “Information Security Policies,” A.12, “Operational Security,” A.16, “Information Security Management” and A.18, “Compliance with Internal Requirements.” Each of these control areas relies on privileged users to be effective.
How a PAM Solution Enables ISO 27001 Controls
A PAM solution protects an organization from accidental or deliberate misuse of privileged access. It can (and should) be a critical element of an ISMS. The PAM solution keeps track of privileged users. It enables ISO 27001 implementation by means of a secure, centralized and streamlined mechanism to authorize and monitor all privileged users for all relevant systems:
- PAM grants and revokes privileges to users only for systems on which they are authorized.
- PAM avoids the need for privileged users to have or need local/direct passwords.
- PAM quickly and centrally manages access for a disparate set of heterogeneous systems.
- PAM creates an unalterable audit trail for any privileged operation.
PAM is a critical element of ISMS, allowing organizations to keep track of all privileged user actions within their IT infrastructure.
The WALLIX PAM Solution for ISO 27001
WALLIX offers a complete PAM solution that aligns well with ISO 27001. Its agentless architecture makes it relatively easy to implement and modify. This quality gives it the ability to be part of the ISMS without adding rigidity to the system. WALLIX’s components each contribute to the fulfillment of ISO 27001 controls and the ISMS:
- WALLIX Access Manager – Governs access to privileged accounts. It centralizes access control by creating a single-entry point. Privileged users request access to a system through the Access Manager, realizing ISO 27001’s access control policy definition and policy enforcement. Access Manager is aware of all sensitive systems a user has permission to access. Super admins can use it to add, modify or delete privileged user accounts.
- WALLIX Password Vault – Prevents privileged users from knowing the actual passwords or credentials to critical systems. This precludes manual overrides on physical devices, a physical control risk described in Section A.11.
- WALLIX Session Manager – Tracks privileged user connections and activities, providing real-time monitoring and recording of all user activities. Session Manager enables detailed audit and accurate incident response, both of which are essential for ISO 27001.
ISO 27001 certification and audit is an arduous process. Each set of controls in the framework must be diligently implemented. PAM can help simplify the process and drive more robust, agile compliance with the standards. To learn more about this important topic, we invite you to download the full length paper.