ISO/IEC 27001 Compliance

Last modified 21 Mar 2024 18:17 +01:00
Work in progress!

ISO/IEC 27000 Series of standards deal with information security management systems (ISMS), an essential building block of cybersecurity. The standard series describes best practice in the field, providing recommendations and guidance.

  • ISO/IEC 27000 specification provides an introduction and a vocabulary.

    ISO 27000 vocabulary was mapped to midPoint vocabulary to improve understanding. Moreover, some terms of midPoint vocabulary were adapted to standard ISO27000 vocabulary.

  • ISO/IEC 27001 specification is the normative core of 27000 series. It specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Annex A of the specification provides list of concrete information security controls.

  • ISO/IEC 27002 specification provides additional information on best practice and further guidance for implementation and maintenance of information security management system (ISMS). Controls listed in ISO 27001 Annex A are further explained in ISO 27002 document.

Mapping of MidPoint Features

Control ID Control Name Necessity Implementation Overview Number of Features
5.1 Policies for information security optional MidPoint can provide essential data for definition and maintenance of security policies. 5
5.2 Information security roles and responsibilities necessary MidPoint provides essential management capabilities of roles and responsibilities by using its advanced role-based access control (RBAC) mechanisms. 7
5.3 Segregation of duties necessary MidPoint can manage, monitor and enforce segregation of duties (SoD) policies through the organization. 7
5.4 Management responsibilities not-applicable -
5.5 Contact with authorities not-applicable -
5.6 Contact with special interest groups not-applicable -
5.7 Threat intelligence marginal MidPoint can provide additional information for operational threat intelligence, such as current or past access rights of users affected by a threat. 5
5.8 Information security in project management necessary MidPoint can manage projects as organizational units, including project governance information (managers, sponsors, reviewers). 7
5.9 Inventory of information and other associated assets optional MidPoint can manage applications, roles and entitlements that are closely related to assets. 3
5.10 Acceptable use of information and other associated assets optional Audit trail, object history and meta-data can be used to record access rights information. 6
5.11 Return of assets marginal MidPoint can record ownership of devices, tokens and licenses using the concept of "service". 2
5.12 Classification of information optional MidPoint has a native information classification feature, which can be used to set up classification and clearance schemes. 5
5.13 Labelling of information optional Applications can be classified using the defined classification scheme. 4
5.14 Information transfer optional MidPoint can use classifications and policy rules to limit and partially control information transfer. 4
5.15 Access control necessary Policy-driven role-based access control mechanism of midPoint can be used as a solid framework for a topic-specific policy on access control, especially the Policy-driven RBAC mechanism. 21
5.16 Identity management necessary MidPoint platform with all of its features is designed to support identity management and all its aspects. 28
5.17 Authentication information necessary MidPoint is designed to manage authentication information, especially passwords. 5
5.18 Access rights necessary MidPoint is an essential component to make sure access to information is provisioned, reviewed, modified and removed in accordance with policies. 20
5.19 Information security in supplier relationships optional Supplier identities can be managed by midPoint, including their access rights and relation to supplier organizations. 13
5.20 Addressing information security within supplier agreements optional Some of the supplier contractual agreements can be enforced by midPoint policies. 7
5.21 Managing information security in the ICT supply chain marginal MidPoint can provide inventory of applications, including their classifications. 3
5.22 Monitoring, review and change management of supplier services marginal MidPoint can provide some monitoring and inventory capabilities for applications. 3
5.23 Information security for use of cloud services optional MidPoint can automatically manage access to cloud services. 7
5.24 Information security incident management planning and preparation optional MidPoint can provide useful information for preparation of incident management plans. MidPoint roles can be used to pre-configure emergency access control which can be used during incident response. 4
5.25 Assessment and decision on information security events marginal MidPoint can provide supplementary information for security event classification. 5
5.26 Response to information security incidents optional MidPoint provides essential information for incident response, as well as rapid immediate actions to contain the incident and ensure business continuity. 7
5.27 Learning from information security incidents optional MidPoint can provide essential information for ex-post investigation and processing of incidents, covering both the actions of attackers and responders. 5
5.28 Collection of evidence optional MidPoint is one of important sources of evidence for incident investigation. Additionally, midPoint access control capabilities can be used to preserve evidence. 7
5.29 Information security during disruption optional MidPoint maintains all policies and rules during incident response. Pre-configure emergency access control can be used during incident response. Synchronization can be used to restore security after disruption. 10
5.30 ICT readiness for business continuity optional MidPoint can be used to quickly prepare replacement system in case of disruption. Pre-configure emergency access control can be used during incident response. 7
5.31 Legal, statutory, regulatory and contractual requirements optional MidPoint documentation provides overview and guidance for compliance with several compliance frameworks. Integral documentation of midPoint can be used to document fulfillment of specific compliance requirements. 8
5.32 Intellectual property rights optional MidPoint can provide data essential for management of licenses and other intellectual property rights. 6
5.33 Protection of records optional MidPoint has several mechanisms to ensure long-term retention of essential information. 12
5.34 Privacy and protection of PII necessary MidPoint provides features that are necessary for maintaining privacy at scale, especially when dealing with consumer identities, external collaborators and similar broad user communities. 14
5.35 Independent review of information security not-applicable -
5.36 Compliance with policies, rules and standards for information security necessary MidPoint provides many essential capabilities for verifying, reviewing and demonstrating compliance, as well as implementation of corrective actions. 10
5.37 Documented operating procedures optional MidPoint has built-in documentation capabilities that assist in documenting operation procedures and responsibilities. 5
6.1 Screening optional Capabilities to manage identity lifecycle, clearances and enforce policy rules are instrumental in enforcing effects of personnel screening by midPoint. 9
6.2 Terms and conditions of employment not-applicable -
6.3 Information security awareness, education and training optional MidPoint capabilities provide convenient support for security trainings, re-trainings, enforcing access policies and spreading of cybersecurity awareness. 8
6.4 Disciplinary process optional MidPoint can be used as a tool to easily reduce access rights of users that violate the policy. 4
Was this page helpful?
Thanks for your feedback