ISO/IEC 27001 Compliance
Work in progress! |
ISO/IEC 27000 Series of standards deal with information security management systems (ISMS), an essential building block of cybersecurity. The standard series describes best practice in the field, providing recommendations and guidance.
-
ISO/IEC 27000 specification provides an introduction and a vocabulary.
ISO 27000 vocabulary was mapped to midPoint vocabulary to improve understanding. Moreover, some terms of midPoint vocabulary were adapted to standard ISO27000 vocabulary.
-
ISO/IEC 27001 specification is the normative core of 27000 series. It specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Annex A of the specification provides list of concrete information security controls.
-
ISO/IEC 27002 specification provides additional information on best practice and further guidance for implementation and maintenance of information security management system (ISMS). Controls listed in ISO 27001 Annex A are further explained in ISO 27002 document.
Mapping of MidPoint Features
Control ID | Control Name | Necessity | Implementation Overview | Number of Features |
---|---|---|---|---|
5.1 | Policies for information security | optional | MidPoint can provide essential data for definition and maintenance of security policies. | 5 |
5.2 | Information security roles and responsibilities | necessary | MidPoint provides essential management capabilities of roles and responsibilities by using its advanced role-based access control (RBAC) mechanisms. | 7 |
5.3 | Segregation of duties | necessary | MidPoint can manage, monitor and enforce segregation of duties (SoD) policies through the organization. | 7 |
5.4 | Management responsibilities | not-applicable | - | |
5.5 | Contact with authorities | not-applicable | - | |
5.6 | Contact with special interest groups | not-applicable | - | |
5.7 | Threat intelligence | marginal | MidPoint can provide additional information for operational threat intelligence, such as current or past access rights of users affected by a threat. | 5 |
5.8 | Information security in project management | necessary | MidPoint can manage projects as organizational units, including project governance information (managers, sponsors, reviewers). | 7 |
5.9 | Inventory of information and other associated assets | optional | MidPoint can manage applications, roles and entitlements that are closely related to assets. | 3 |
5.10 | Acceptable use of information and other associated assets | optional | Audit trail, object history and meta-data can be used to record access rights information. | 6 |
5.11 | Return of assets | marginal | MidPoint can record ownership of devices, tokens and licenses using the concept of "service". | 2 |
5.12 | Classification of information | optional | MidPoint has a native information classification feature, which can be used to set up classification and clearance schemes. | 5 |
5.13 | Labelling of information | optional | Applications can be classified using the defined classification scheme. | 4 |
5.14 | Information transfer | optional | MidPoint can use classifications and policy rules to limit and partially control information transfer. | 4 |
5.15 | Access control | necessary | Policy-driven role-based access control mechanism of midPoint can be used as a solid framework for a topic-specific policy on access control, especially the Policy-driven RBAC mechanism. | 21 |
5.16 | Identity management | necessary | MidPoint platform with all of its features is designed to support identity management and all its aspects. | 28 |
5.17 | Authentication information | necessary | MidPoint is designed to manage authentication information, especially passwords. | 5 |
5.18 | Access rights | necessary | MidPoint is an essential component to make sure access to information is provisioned, reviewed, modified and removed in accordance with policies. | 20 |
5.19 | Information security in supplier relationships | optional | Supplier identities can be managed by midPoint, including their access rights and relation to supplier organizations. | 13 |
5.20 | Addressing information security within supplier agreements | optional | Some of the supplier contractual agreements can be enforced by midPoint policies. | 7 |
5.21 | Managing information security in the ICT supply chain | marginal | MidPoint can provide inventory of applications, including their classifications. | 3 |
5.22 | Monitoring, review and change management of supplier services | marginal | MidPoint can provide some monitoring and inventory capabilities for applications. | 3 |
5.23 | Information security for use of cloud services | optional | MidPoint can automatically manage access to cloud services. | 7 |
5.24 | Information security incident management planning and preparation | optional | MidPoint can provide useful information for preparation of incident management plans. MidPoint roles can be used to pre-configure emergency access control which can be used during incident response. | 4 |
5.25 | Assessment and decision on information security events | marginal | MidPoint can provide supplementary information for security event classification. | 5 |
5.26 | Response to information security incidents | optional | MidPoint provides essential information for incident response, as well as rapid immediate actions to contain the incident and ensure business continuity. | 7 |
5.27 | Learning from information security incidents | optional | MidPoint can provide essential information for ex-post investigation and processing of incidents, covering both the actions of attackers and responders. | 5 |
5.28 | Collection of evidence | optional | MidPoint is one of important sources of evidence for incident investigation. Additionally, midPoint access control capabilities can be used to preserve evidence. | 7 |
5.29 | Information security during disruption | optional | MidPoint maintains all policies and rules during incident response. Pre-configure emergency access control can be used during incident response. Synchronization can be used to restore security after disruption. | 10 |
5.30 | ICT readiness for business continuity | optional | MidPoint can be used to quickly prepare replacement system in case of disruption. Pre-configure emergency access control can be used during incident response. | 7 |
5.31 | Legal, statutory, regulatory and contractual requirements | optional | MidPoint documentation provides overview and guidance for compliance with several compliance frameworks. Integral documentation of midPoint can be used to document fulfillment of specific compliance requirements. | 8 |
5.32 | Intellectual property rights | optional | MidPoint can provide data essential for management of licenses and other intellectual property rights. | 6 |
5.33 | Protection of records | optional | MidPoint has several mechanisms to ensure long-term retention of essential information. | 12 |
5.34 | Privacy and protection of PII | necessary | MidPoint provides features that are necessary for maintaining privacy at scale, especially when dealing with consumer identities, external collaborators and similar broad user communities. | 14 |
5.35 | Independent review of information security | not-applicable | - | |
5.36 | Compliance with policies, rules and standards for information security | necessary | MidPoint provides many essential capabilities for verifying, reviewing and demonstrating compliance, as well as implementation of corrective actions. | 10 |
5.37 | Documented operating procedures | optional | MidPoint has built-in documentation capabilities that assist in documenting operation procedures and responsibilities. | 5 |
6.1 | Screening | optional | Capabilities to manage identity lifecycle, clearances and enforce policy rules are instrumental in enforcing effects of personnel screening by midPoint. | 9 |
6.2 | Terms and conditions of employment | not-applicable | - | |
6.3 | Information security awareness, education and training | optional | MidPoint capabilities provide convenient support for security trainings, re-trainings, enforcing access policies and spreading of cybersecurity awareness. | 8 |
6.4 | Disciplinary process | optional | MidPoint can be used as a tool to easily reduce access rights of users that violate the policy. | 4 |
6.5 | Responsibilities after termination or change of employment | optional | Identity lifecycle and policy-driven role-based access control (PD-RBAC) mechanism are instrumental in handling privileges in termination/change situations. | 14 |
6.6 | Confidentiality or non-disclosure agreements | optional | Information classification and clearance mechanism can be used to enforce presence of appropriate agreements. | 8 |