ISO27001 Compliance

Last modified 27 Feb 2024 12:17 +01:00
Work in progress!

ISO/IEC 27000 Series of standards deal with information security management systems (ISMS), an essential building block of cybersecurity. The standard series describes best practice in the field, providing recommendations and guidance.

  • ISO/IEC 27000 specification provides an introduction and a vocabulary.

    ISO 27000 vocabulary was mapped to midPoint vocabulary to improve understanding. Moreover, some terms of midPoint vocabulary were adapted to standard ISO27000 vocabulary.

  • ISO/IEC 27001 specification is the normative core of 27000 series. It specifies requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). Annex A of the specification provides list of concrete information security controls.

  • ISO/IEC 27002 specification provides additional information on best practice and further guidance for implementation and maintenance of information security management system (ISMS). Controls listed in ISO 27001 Annex A are further explained in ISO 27002 document.

Mapping of MidPoint Features

Control ID Control Name Necessity Implementation Overview Features
A.5.1 Policies for information security optional MidPoint can provide essential data for definition and maintenance of security policies. MidPoint reporting can be used to extract information from identity data (identity analytics). Simulation capabilities can be used to predict the effect of proposed policies. Reporting
Simulation
Audit trail
Application inventory
A.5.2 Information security roles and responsibilities necessary MidPoint provides essential management capabilities of roles and responsibilities by using its advanced role-based access control (RBAC) mechanisms. Roles can be defined in midPoint, including all necessary privileges, role hierarchies, policies and descriptive data. Role governance can be managed in midPoint, recording role owners and approvers. Simulation capability can be used to predict effect of role model changes. Role-based access control
Role governance
Simulation
Role catalog
Role mining
Role mining
A.5.3 Segregation of duties necessary MidPoint can manage, monitor and enforce segregation of duties (SoD) policies through the organization. SoD policies can be defined on role level (role exclusion) or role-class level (meta-role), with selective enforcement. The policies can be enforced gradually, reporting policy violations first, gradually addressing them, applying full policy enforcement when all violations are addressed. SoD violations can be optionally driven through approval process to "legalize" them. Segregation of duties
Policy rule
Meta-role
Gradual policy enforcement
Approval process
Authorization
Reporting
A.5.8 Information security in project management necessary MidPoint can manage projects as organizational units, including project governance information (managers, sponsors, reviewers). Privileges necessary for project members and managers can be assigned automatically. As midPoint organizational structures act as roles (abstract roles), all necessary policies and privileges for project can be defined centrally (project meta-role or archetype) or on per-project level. Projects can be automatically represented by entitlements, e.g. automatically creating and managing Active Directory groups for projects. Delegated administration can be used to allow project managers to control certain aspects of the projects (e.g. project name, description and membership). Reporting
Archetype
Delegated administration
relation
Authorization
A.5.9 Inventory of information and other associated assets optional Role governance
Application inventory
A.5.10 Acceptable use of information and other associated assets necessary Object lifecycle
Object metadata
Access certification
Micro-certification
A.5.12 Classification of information optional Role governance
Was this page helpful?
YES NO
Thanks for your feedback